I have an application in grails using spring-security for users and roles management. Since, past few days I am facing a strange issue: When one user logs in at some point the users becomes another user (session mix up).
Example: User A logs in to system, User B logs in to system from another browser, when moving through controller actions, at some random point User A becomes User B in User A system, same with User B, too.
This issue is in PRODUCTION and not development.
I have found some of similar cases over internet but none of grails. Spring Security/JSF/Hibernate Accidental Session Hijacking on Tomcat?, this similar one but in jsf and solution mentioned does not seem to work for me. Another one is Session mix up - apache httpd with mod_jk, tomcat, spring security - serving data of other user but here issue seems to be because of mod_jk which is not the case for me (I have not used mod_jk).
My system versions:
Finally, I found the issue.
Culprit were the ISPs (currently found in Subisu and Mercantile in Nepal). They would actually cache the whole page requested and when the same url is requested by another user within certain timeframe (few hours), provided both users in same ISP network, the cached page would be rendered to the next user.
How I found my issue: I did an experiment. First, I logged in with two different users in separate computers in same ISP, I immediately found the issue. Then I logged out one user in that ISP, disconnected from that ISP, connected to another ISP and logged in to the system. Now, I had User1 in Computer1 in ISP1 and User2 in Computer2 in ISP2, even after browsing for half hour the issue was not found.
How I fixed it: I generated unique uuid and appended to every menu link. This makes every url different, its been 4 days and the issue have not been found even once. In some menus I have not put the unique uuid and still the issue but not in those where I put the unique string.