The meaning of ‘hijack’ means switching some content with something else. So our team just found one big security issue with Apache and Jetty 6.1.5. This issue only happens when they combine together. The case is like this: user_one login, and user_two login with a blank cookie. Then the second user just get all the cookie from the first user.
This is interesting, isn’t it? It takes the whole dev team more than one week to discover it. I need to record it down, when my mind is so clear on this. The reason behind this is Apache and Jetty kind of keeping some state between each other. Yes, you are right, HTTP should not contain any state. But it is weird that Apache and Jetty, this combination does. BTW, We are using mod_proxy in Apache. So if the second user doesn’t have cookie, then the jetty will think the state is not correct, this is like a transaction, it automatically rollback the connection, give the cookie to second user, then the second user login as the first user.
Imaging if it is a bank system, that would be so interesting for you to login as Bill Gates.
The fix is simple, upgrade jetty to 6.1.19, this version has fixed this problem. Hoping this can help you if you are trying to figure out what is going on your Apache and Jetty