Received: (qmail 41851 invoked by uid 501); 24 May 2000 03:13:04 -0000 Message-Id: <20000524031304.41850.qmail@locus.apache.org> Date: 24 May 2000 03:13:04 -0000 From: Anita Chan Reply-To: anitachan@hot-fax.com To: submit@bugz.apache.org Subject: session values are somehow reused without consistence checking in Apache/Jserv. X-Send-Pr-Version: 3.110 >Number: 6112 >Category: mod_jserv >Synopsis: session values are somehow reused without consistence checking in Apache/Jserv. >Confidential: no >Severity: non-critical >Priority: medium >Responsible: jserv >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Tue May 23 20:20:01 PDT 2000 >Closed-Date: >Last-Modified: Wed May 24 13:16:19 PDT 2000 >Originator: anitachan@hot-fax.com >Release: 1.3.6 >Organization: >Environment: uname -a SunOS roam 5.7 Generic_106541-08 sun4u sparc SUNW,Ultra-250 ./httpd -v Server version: Apache/1.3.6 (Unix) Server built: Aug 24 1999 14:35:54 >Description: I am using Apache HTTP Server 1.3.6 with Apache Jserv 1.0 for an Internet based email system. My system is written with Java 1.1.7 and Java 1.2, which is heavily relied on lots of session values. I used lots of codes to remember different clients' status, which are similar to the following: session.putValue(".....", "....."); session.getValue("....."); [In average I have 50-300 session values per request ] However, I found that some session values would "mess up" when I have more and more session requests. Eventually, all the displayed information would scope up as result of the incorrect session values. For example, I put down a set of session value for A, and another set of session values for B [those session values include their browser info, their unique ID and their password]. Initially, there is nothing wrong, client A and client B can only see their information. However, when more and more clients log on to the system, client A may see client B information rather than his information. If I restart the Apache, then everything would back to normal. It seem to me, it is an internal bug in the Apache Jserv engine. The session values are somehow reused without some consistence checking in Apache/Jserv. Do you have any suggestion for me to eliminate the problem? I notice the Jserv 1.1.1 is just released, do you think if I upgrade to the new version would help? Besides, may I know if the bug is fixed in the new version, does it have any limitation on the number (or size) of session values? How long would it clean up / refresh those session values? >How-To-Repeat: runtime error that is hard to repeat! You may load tons of session values in order to stress the Jserv and check each of the consistensy of each session value. >Fix: Increase your buffering size. [I mean there must be something to hold all the session values.] >Release-Note: >Audit-Trail: Responsible-Changed-From-To: apache-jserv Responsible-Changed-By: marc Responsible-Changed-When: Wed May 24 13:16:18 PDT 2000 Responsible-Changed-Why: jserv issue. Category-Changed-From-To: general-mod_jserv Category-Changed-By: marc Category-Changed-When: Wed May 24 13:16:18 PDT 2000 >Unformatted: [In order for any reply to be added to the PR database, you need] [to include in the Cc line and make sure the] [subject line starts with the report component and number, with ] [or without any 'Re:' prefixes (such as "general/1098:" or ] ["Re: general/1098:"). If the subject doesn't match this ] [pattern, your message will be misfiled and ignored. The ] ["apbugs" address is not added to the Cc line of messages from ] [the database automatically because of the potential for mail ] [loops. If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request from a ] [developer. Reply only with text; DO NOT SEND ATTACHMENTS! ]