0

Although easily done from my perspective with IIS, I'm a total noob to Tomcat and have no idea how to set static values for cookie contents. Yes I've read the security implications and eventually will access via SSL so I'm not concerned. Plus I've read the Servlet 3.0 spec about not changing the value and I accept that.

In IIS I would simply set a HTTP Header named Set-Cookie with an arbitrary setting of WebServerSID and a value of 1001.

Then in the load balancer VIP containing this group of real servers, set the value WebServerSID at the VIP level, and for the first web server a cookie value of 1001 and so one for the remaining machines 1002 for server 2, 1003 for server 3.

This achieves session affinity via cookies until the client closes the browser.

How can this be done with Tomcat 7.0.22?

I see a great deal of configuration changes have occurred between Tomcat 6.x and 7.x with regard to cookies and how they're set up. I've tried the following after extensive research over the last week.

In web.xml: (this will disable URL rewriting under Tomcat 7.x) <tracking-mode>COOKIE</tracking-mode> under the default session element

In context.xml: (cookies is true by default but I was explicit as I can't get it working)

cookies=true
sessionCookiePath=/
sessionCookieName=WebServerSID
sessionCookieName=1001

I have 2 entries in context.xml for sessionCookieName because the equivalent commands from Tomcat 6.x look like they've been merged into 1. See http://tomcat.apache.org/migration-7.html#Tomcat_7.0.x_configuration_file_differences

Extract:

org.apache.catalina.SESSION_COOKIE_NAME system property: This has been removed. An equivalent effect can be obtained by configuring the sessionCookieName attribute for the global context.xml (in CATALINA_BASE/conf/context.xml). org.apache.catalina.SESSION_PARAMETER_NAME system property: This has been removed. An equivalent effect can be obtained by configuring the sessionCookieName attribute for the global context.xml (in CATALINA_BASE/conf/context.xml).

If this is not right then I simply do not understand the syntax that is required and I cannot find anywhere that will simply spell it out in plain black and white.

Under Tomcat 6.x, I would have used Java Options in the config like:

-Dorg.apache.catalina.SESSION_COOKIE_NAME=WebServerSID
-Dorg.apache.catalina.SESSION_PARAMETER_NAME=1001

The application I'm using does not have any of these values set elsewhere so it's not the application.

All these settings are in context/web/server.xml files at the Catalina base

At the end of the day what I need to see in the response headers under Set-Cookies: (as seen using Fiddler) is:

WebServerSID=1001

NOT

JSESSIONID=as8sd9787ksjds9d8sdjks89s898

thanks in advance

regards

Aaron
  • 1
  • 1
  • 5

1 Answers1

0

The best you can do purely with configuration is to set the jvmRoute attribute of the Engine which will add the constant value to the end of the session ID. Most load-balancers can handle that. It would look like:

JSESSIONID=as8sd9787ksjds9d8sdjks89s898.route1

If that isn't good enough and you need WebServerSID=1001 you'll have to write a ServletFilter and configure that to add the header on every response.

Mark Thomas
  • 16,339
  • 1
  • 39
  • 60
  • I did look into the jvmRoute component but was reluctant to try it. Reason being I couldn't find anything in the load balancer documentation suggesting the sessionid component would just be "ignored" and only the defining part "route1" would be read. What I did find I could do is and set the jvmRoute to 1001. That would leave JSESSIONID=.1001 but then I couldn't get sessionCookieName=WebServerSID to play it's part. It simply doesn't work there something wrong with it. This would give me WebServerSID=.1001 and near enough is good enough at this stage but cannot. – Aaron May 17 '12 at 01:36
  • And always wanting to understand where I've gone wrong in these matters, what's wrong with these entries? `sessionCookieName=WebServerSID sessionCookieName=1001` – Aaron May 17 '12 at 01:58
  • The example the load balancer documentation gave of a JavaScript command for Cookie Switching was `SetCookie("ServerID","1")` and consult RFC 2109. Does this make any difference to the way this can be achieved? – Aaron May 17 '12 at 07:44
  • Where do I start with writing a servlet for this? I know absolutely ZERO about it so any links should be appropriate. – Aaron May 18 '12 at 03:59
  • OK then, this has been quiet for too long. How much will it cost to have someone write a Servlet Filter as suggested by Mark? How quickly can it be done with some implementation documentation? – Aaron May 23 '12 at 01:16
  • Mark, Thanks very much, I'll see what I can work out with this. regards – Aaron May 25 '12 at 12:59