Sessions (occasionally) getting mixed up

OS: Windows 2008 Server R2
Java Version: 8.0.1810.13
Tomcat Version: 8
Lucee Version: 5.3.3.62

We have an issue where, occasionally, sessions are mixed up i.e. two users have their sessions swapped over and each “become” the other user. This is very occasional, but clearly serious when it happens.

I’ve read online about issues with mod_jk and Tomcat, but we’re using mod_proxy_ajp. It’s a single server, no clustering. We are using the following configuration on Apache 2.4:

ProxyPreserveHost On
ProxyPassMatch ^/(.+\.cf[cm])(/.*)?$ ajp://localhost:8009/$1$2

LoadModule modcfml_module modules/mod_cfml.so
CFMLHandlers ".cfm .cfc .cfml"
ModCFML_SharedKey "xxxxxx" 

We are using Application sessions, stored as files. Would JEE be better?

Any suggestion as to a possible cause / how we can avoid this?

Thanks!

Check for race conditions in your application using cflint look for singletons or application scope persisted udfs with missing varing far more likely than a config issue

In case application/coding issue could be causing this, I would try to identify the users (e.g. ip address and user-agent), the server time of when the switching happens, and try to view isolate the cfm/cfc pages through the webserver logs and the users url paths. I would even log the cookies for that. But of course, depends very much on the quantity of data you are collecting. 5 concurrent users is not the same as thousand.

Windows 2008r2 was desupported 2 month ago. Consider upgrading (remove technical debt). Hopefully the app is not internet facing…