https://bz.apache.org/bugzilla/show_bug.cgi?id=66120
Bug ID: 66120
Summary: j_security_check returns 408 if j_security_check
request lands on different tomcat server from the
original server
Product: Tomcat 9
Version: 9.0.30
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
Setup:
1. Have two tomcat instances and session back-up with Memcached for failover.
2. Use FormAuthenticator for authentication
Scenario:
1. render login form from TC-instance-1
2. submit login form request (j_security_check) to TC-instance-2 ( to simulate
tomcat fail-over or load balancer routes the request to other instance for any
reason )
Observation:
TC-instance-2 returns 408
Addition information:
>From commit
https://github.com/apache/tomcat/commit/fd381e94f222831fd2bee697deb6246d417b8f33
form authenticator expects session id from session-note,
Session note being transient, it’s not serialized, not backed up by backup
manager. This result into session is set to expire/null and cascading 408 error
With modern infrastructure failure is expected (like pod/node eviction
[Kubernetes HPA trashing] or load balancers consistent hashing algorithm
changes sticky ness ) so the failover is more frequent
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
