CAS 5.3 with tomcat 8.5.57 User logged in sees another user information

[Juan Quintanilla]

Hello,

We are running CAS 5.3, and tomcat 8.5.57 and experienced a scenario were a user logged into a saml2 service and saw another users information. They logged out and logged back in and saw their information.  We encountered something similar in the past when we had CAS 3.6 and Tomcat 8.0 and it had to do with Tomcat using the same jsessionid for the user who authenticated a few seconds before and the user coming in after was given the same jsessionid. We would have to bounce the environment completely.

We have haveged installed on the VM to help, has anyone encountered a similar issue, we had one user report the issue unfortunately we don't see a way to capture this information in the logs and nothing in the logs stands out for this particular case.

Thanks!

___________________
Juan Quintanilla

jqui...@fiu.edu

[Ray Bon]

Juan,

I worked on a [non cas] project years ago where this type of behaviour would happen in a classroom setting. I suspected it was some network hardware that could not distinguish the requests - response pairs, and 'guessed' which response matched which client request.

I never had a chance to solve this problem, so I am not much help.

Ray

On Wed, 2021-01-13 at 22:13 +0000, Juan Quintanilla wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I respectfully acknowledge that my place of work is located within the ancestral, traditional and unceded territory of the Songhees, Esquimalt and WSÁNEĆ Nations.

[Juan Quintanilla]

Thank Ray for your input.  We only encountered one case that we know of, we are enabling more logging in the access logs to capture sessionid and also planning to update to the 8.5.61 as we did see some bugs fixes.  We are not sure not where the issue or if this was just an isolated issue but our guess is the Web servlet as we encountered something similar in a previous version tomcat.  The only difference now is that we don't see any errors related to this event.

___________________
Juan Quintanilla

jqui...@fiu.edu

---

From: cas-...@apereo.org <cas-...@apereo.org> on behalf of Ray Bon <rb...@uvic.ca>
Sent: Thursday, January 14, 2021 12:02 PM
To: cas-...@apereo.org <cas-...@apereo.org>
Cc: Noemi Valle <nva...@fiu.edu>
Subject: Re: [cas-user] CAS 5.3 with tomcat 8.5.57 User logged in sees another user information

 

Note: This message originated from outside the FIU Faculty/Staff email system.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4fe6f2d625ce3eff1326171606ab024bdef006e4.camel%40uvic.ca.