Glassfish 3.0.1 with JAAS and SSO is mixing user sessions
We are experimenting a strange behaviour with our Glassfish 3.0.1 installations: sometimes, randomly, user sessions get mixed, so one user starts seeing information from other user, logged in from another PC. This appear to happen when the server gets overloaded, but the resources assigned by now should be sufficient.
The environment: Glassfish 3.0.1, 6GB RAM, 10+ applications deployed (some with JSF, some plain JSP, and some others just WebServices) using JAAS and Glassfish built-in SSO, no load-balancer, no proxy, up to 100 users at a time.
The case: lots of users log-in into the applications, using JAAS and SSO. At some point, something happens (do not know what), and other users, with or without being logged into an application, just pressing F5 in their browsers, gets into the application being logged with one of the previuos logged-in users data - and pressing F5 again changes to other user data, and so on. Sometimes, it happens a few times, but others the only way to get to normal functioning is restarting the server.
A note: "pretty overloaded" sometimes means 60 users at a time, 400+ sessions created since starting the server..
We found that this behaviour is reported when using Apache+Mod_JK with Glassfish, but in this case we are not using Apache, nor any other load-balancer, no proxy either.
Please, any help will be appreciated, because this is a level-1 security issue, and we don't know what could be de cause, and what should we do.
Another note: we thougt it could be a problem with our MangedBeans in JSF, or Session Beans in EJBs, but this happens even in the login page, which is just a plain html page with a JAAS form.
Thanks in advance!