Request assumes identity of another user who logs in concurrently due to Apache CacheIgnoreHeaders
問題
- The session spontaneously switches to another user
- The JSESSIONID cookie of the victim is set for the "perpetrator" leading to unintended session-stealing behavior
原因
Apache webserver, which proxies the Tomcat server, was configured to cache certain fixed-content files to relieve Tomcat of the traffic. The configuration does not use the CacheIgnoreHeaders directive to tell mod_cache not to cache "Set-Cookie" headers with the responses. In this situation it is possible for the cached item, with its Set-Cookie header, to be returned to another user resulting in the incorrect session being served.
ソリューション
If these problems are encountered, you can either:
- try disabling the
mod_cache - invoke the directive
CacheIgnoreHeaders Set-Cookiein Apache's mod_proxy configuration
For more details on how to configure mod_cache, see Configuring Apache to Cache Static Content via mod_disk_cache
最終更新日 2018 年 11 月 2 日
Powered by Confluence and Scroll Viewport.