Shiro, Spring application appending jsessionid to each URL

Question

I'm currently developing application with Spring and Shiro. I'm deploying to Tomcat 7 and in production I'm using nginx as reverse proxy. Everything works smoothly (well kind of) except that the jsessionid is added to each URL when accessing the application through nginx proxy.

When I use following nginx config:

server {
        server_name example.com www.example.com;
        listen 80;

        location /myapp {
                proxy_pass http://localhost:8080;
        }
}

I access the app through www.example.com/myapp, everything is fine then - no jsessionid in the URL

When I use following config:

server {
       server_name sub.example.com www.sub.example.com
       listen 80;
       location / {

              proxy_pass http://localhost:8080/myapp/;
}

I access the app through www.sub.example.com, and then I see the jsessionid added to each URL (even after successful login).

I found similar thread that advised to add following to the web.xml:

<session-config>
  <tracking-mode>COOKIE</tracking-mode>
</session-config>

That works - well, jsessionid is removed but I can't authenticate, which makes me think that there's a cookie configuration problem in nginx, any advices?

EDIT//: Found the solution, just need to add the following in the nginx config:

 proxy_cookie_path /myapp/ /;

Have you confirmed that this really is a cookie issue? You can authenticate when accessing tomcat directly in production? Also check the value of the cookie in the webbrowser (using the chrome console or something else), is it being set and does the value not change? — Wouter, Oct 22 '14 at 13:38
I can authenticate no problem when accessing tomcat directly. Even accessing with the first nginx config works. — Stugal, Oct 22 '14 at 13:52

score 3 · Answer 1 · answered Sep 21 '15 at 01:25

For Shiro specifically I fixed this problem in our application with the following - You need to add

request.setAttribute(ShiroHttpServletRequest.REFERENCED_SESSION_ID_SOURCE, ShiroHttpServletRequest.COOKIE_SESSION_ID_SOURCE);

in the request that creates the JSESSIONID cookie on the client. Basically telling shiro to use cookie source instead of urlrewriting to get the sessionids

The following doesn't work with Shiro's DefaultWebSessionManager. It only works with ServletContainerSessionManager

<session-config>
  <tracking-mode>COOKIE</tracking-mode>
</session-config>

this should be marked as the answer. It was absolutely right! — corlaez, Nov 22 '16 at 20:24

score -1 · Answer 2 · answered Oct 22 '14 at 14:04

-1

Adding the following after proxy_pass might work:

    proxy_redirect http://localhost:8080/myapp/ /;

proxy_pass and proxy_redirect often complement each other. See http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_redirect

answered Oct 22 '14 at 14:04

Wouter

3,976
2
31
50

Shiro, Spring application appending jsessionid to each URL

2 Answers2