0

I have the following requirements

  1. Multiple JARs. Each running an embedded Jetty.
  2. Run everyone on same domain/port - using reverse proxy (Apache)
  3. A JAR can have multiple instances running on different machines (yet under same host/port).
  4. Complete session separation - absolutely no sharing even between 2 instances of same webapp.
  5. Scale this all dynamically.
  6. I do not know if this is relevant, but I know Spring Security is used in some of these web apps.

I got everything up and running by adding reverse proxy rules and restarting Apache. Here is a simplified description of 2 instances for webapp-1 and 2 instances for webapp-2. 

http://mydomain.com/app1 ==> 1.1.1.1:9099
http://mydomain.com/app2 ==> 1.1.1.1:9100
http://mydomain.com/app3 ==> 1.1.1.2:9099
http://mydomain.com/app4 ==> 1.1.1.2:9100

After setting this up successfully (almost), we see problems with JSESSIONID cookie. Every app overrides the others' cookie - which means we have yet to achieve total session separation as one affects the other.

I read a lot about this issue online, but the solutions never really suffice in my scenario.

The IDEAL solution for me would be to define JETTY to use some kind of UUID for the cookie name. I still cannot figure out why this is not the default.

I would even go for a JavaScript solution. JavaScript has the advantage that it can see the URL after ReverseProxy manipulation. So for http://mydomain.com/XXX I can define cookie name to be XXX_JSESSIONID.

But I cannot find a howto on these.

So how can I resolve this and get a total separation of sessions?

jesse mcconnell
  • 7,102
  • 1
  • 22
  • 33
guy mograbi
  • 27,391
  • 16
  • 83
  • 122
  • What are you using for session management? Jetty's JDBC sessions, the default hash session managers, mongo...a custom one? – jesse mcconnell Apr 26 '13 at 12:26
  • default as far as I know. I can see JSESSIONID cookies in the browser. I don't have a DB available at all. I have not written a custom session manager. – guy mograbi Apr 26 '13 at 12:36

1 Answers1

1

You must spend some time understanding what session manager you are using and what features/benefits it gives you. If you have no db available, and you have no custom session manager then I am inclined to believe you are using a HashSessionManager that we distribute which is usable for session management on a single host only, there is no session sharing across jvms in this instance.

If you are running 4 separate jvm processes (and using the HashSessionManager) as the above seems to indicate then there is no sessions being shared across nodes.

Also you seem to be looking to change the name of the session id variable for each application. To do that simply set a different name for each application.

http://www.eclipse.org/jetty/documentation/current/session-management.html

You can set a new org.eclipse.jetty.servlet.SessionCookie name for each webapp context and that should address your immediate issue.

jesse mcconnell
  • 7,102
  • 1
  • 22
  • 33
  • Hi. I am probably using HashSessionManager. But as specified in my question, changing the context is not suitable. I need something more dynamic. Is there a JVM arg I can pass that will do the same thing? The sessions are not shared - worse, they are overridden. When I access app2, I get logged out of app1. I assume that proper production projects define a different cookie name. How does this affect spring security? are there modules that hard-code the name "JSESSIONID"? – guy mograbi Apr 27 '13 at 05:55