Prashant Chotu

Greenhorn
+ Follow
since Jun 28, 2012
Merit badge: grant badges
For More
Cows and Likes
Cows
Total received
0
In last 30 days
0
Total given
0
Likes
Total received
0
Received in last 30 days
0
Total given
0
Given in last 30 days
0
Forums and Threads
Scavenger Hunt
expand Ranch Hand Scavenger Hunt
expand Greenhorn Scavenger Hunt

Recent posts by Prashant Chotu


For some reason, default packetSize (8KB) on AJP connector in server.xml does not suffice my need. My header size gets exceeded 8KB. So I need to set it to 16KB. As I am runnning apache in front of tomcat, so I need to set max_packet_size directive to 16KB also in workers.properties.

Can you please explain if there is any issue/ impact in increasing packetSize ? I am using tomcat 7.0.25

Thank you very much.
11 years ago

Hello
Is there any configuration in tomcat context.xml file so that if I give non-empty context path in the url and my ROOT.war is browsed ?

For eg - Browse localhost:8080 gives access to webapps/ROOT directory

I want - Browse localhost:8080/xyz should give access to webapps/ROOT directory.

Is it possible ?
11 years ago


Is there any configuration in tomcat context.xml file so that if I give non-empty context path in the url and my ROOT.war is browsed ?

For eg - Browse localhost:8080 gives access to webapps/ROOT directory

I want - Browse localhost:8080/xyz should give access to webapps/ROOT directory.

Is it possible ?
11 years ago


I am using tomcat 7 and wish to tune maxThreads attribute in server.xml.

Is there any selection criteria for this attribute ? I do have 8 GB RAM in my machine and allocates 4 GB RAM to tomcat JVM using -Xms and -Xmx JAVA_OPTS.

Let me know if you need more information.

Thanks.
11 years ago
What is this - here is the link aspose file stuff ???
11 years ago
I do use session stickiness and planning to use in-memory replication (option 3).

But i see a drawback using this option - unnecessarily session will be replication to one application server to another. The replicated session is only needed if one tomcat fails as I am using session stickiness.
I have googled about this and got to know about using memcached.

If you know about memcached, kindly share your experience of memcached node with session replication.
11 years ago
Dont paste rubbish if you do not know the answers.
11 years ago

Hello,


The tomcat doc of apache says, there are three ways, we can achieve session replication among tomcat nodes -

1. Using session persistence, and saving the session to a shared file system (PersistenceManager + FileStore)
2. Using session persistence, and saving the session to a shared database (PersistenceManager + JDBCStore)
3. Using in-memory-replication, using the SimpleTcpCluster that ships with Tomcat 6 (lib/catalina-tribes.jar + lib/catalina-ha.jar)

In my application, I do use SINGLE cluster having TWO tomcat 7.0.25 nodes. I want to configure session replication between these two nodes. Can anybody provide some points describing which one I should use and why ?

I am able to set up session replication using point 3. It works good.

I want to play with option 1 & 2 also. But not able to find out any link that describes point 1 & 2. It would be really very helpful if anyone can provide me some docs or links on point 1 & point 2.

Thanks in advance.
11 years ago
Hi ,

can anyone please tell me how many simultaneous active connections/threads tomcat 7 can handle on AJP connector port 8009 ? and what will happen if this limit exceeds ?
server.xml -
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Let me know if you need more info

Thanks,
Prashant Gupta
11 years ago
Hi ,

can anyone please tell me how many simultaneous active connections/threads tomcat 7 can handle on AJP connector port 8009 ? and what will happen if this limit exceeds ?
server.xml -
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Let me know if you need more info

Thanks,
Prashant Gupta
11 years ago
I just want to protect my app from session fixation attack. I give you a scenario - Suppose an attacker who is also an user of my app and he/she has a valid JSESSIONID. If the attacker sets this valid JSESIONID in the victim's browser via any means, then the next login of victim will be in the session fixed by the attacker as the JSESSION cookie value is getting changed on login. And the attacker without login will be able to access all the pages which need login.

That is why I need to change the JSESSIONID on each successful login.

Thanks,
Prashant Gupta
11 years ago
1. You can use the below utility function. This invalidates existing session and create a new session copied all the attributes except JSESSIONID from the existing session.

public static def invalidateExistingSessionAndCreateNewSession(def session, def request){
def sessionAttributes = session.attributeNames
def map = new HashMap()
def attributeName
while (sessionAttributes.hasMoreElements()){
attributeName = sessionAttributes.nextElement()
if(!"JSESSIONID".equalsIgnoreCase(attributeName)){
map.put(attributeName, session.getValue(attributeName))
}
}
session.invalidate()
session = request.getSession(true)
Set entrySet = map.entrySet()
Map.Entry entry
for(Iterator i = entrySet.iterator();i.hasNext();){
entry = (Map.Entry)i.next();
session.setAttribute(entry.getKey(),entry.getValue())
}
return session
}

2. If you make use of Valve in Context, then I think the session gets renamed. Its existing attributes do not get destroyed.

Thanks,
Prashant Gupta
11 years ago
Thanks Tim for the reply.
Actually, my entire application, all the pages runs on ssl (https). So is there any provision in tomcat 7, so that the JSESSIONID cookie value get changed on each successful login ?

Right now, we doing it through code, on login we are manually invalidating the existing session and creating a new session with all the attributes copied from the existing session.
Is it possible, the JSESSIONID value can be renamed randomly

.
Regards,
Prashant Gupta
11 years ago
Hi,

According to the docs, tomcat7 is not vulnerable to session fixation attack. But my tomcat 7.0.25 as well as 7.0.27 is vulnerable to this attack.
JSESSIONID is not getting changed on successful login.

I added following Valve to my conf/context.xml. But this didn't work. Please help me.

<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="true" />

Thanks,
Prashant Gupta
11 years ago