> From: Durand, Dustin [mailto:dustin_dur...@intuit.com] > Subject: Cookie Header Not Being Parsed
> I've been attempting to track down an issue where the cookies aren't being > parsed out of the cookie header in rare cases. We're using a java service > that utilizes JSession, so this causes the users session to be lost every > time one of these failures occurs. > Version: Tomcat 8.5.31 and 8.5.34 (Attempted to upgrade) Thanks for supplying the version info; many people forget. > During the load tests we see the rare request come into the service where the > filter dumps the cookie header which includes the expected cookies, but when > the filter attempts to pull the cookies from the HttpServletRequest they're > missing. To make it more interesting, the value cookie header usually matches > the previous request(s) cookie header value for that user, which was parsed > successfully. The last sentence is the key point, indicating the probable source of the problem: your application is likely hanging on to some reference to the prior request and inadvertently using it when a new request shows up. This often takes the form of instance variables in a servlet being used to hold request information. Since the servlet object is shared across all requests using it, information leakage can occur between concurrent requests; this is also true for filters used in the request handling. Leakage can also occur with other singletons used by the webapp, or in any persistent data maintained by the app (e.g., in a session object). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
smime.p7s
Description: S/MIME cryptographic signature
