0

For a web-application, we are dependant on CMS deployed on web-logic and web-app deployed on tomcat. When user access a page, dynamic content is rendered from tomcat(sticky session is enabled) and static content(js, css etc.,) are rendered from CMS(on web-logic). This is leading to a conflict on JSESSIONID cookie. The web-logic JSESSIONID is overriding the Tomcat JSESSIONID and the user is loosing the contents saved in session, when moving to and from various parts of the site.

The request flow is as below

[1]: https://i.stack.imgur.com/17Ft5.png

As a band-aid, we wrote a rule on load balancer to drop JSESSIONID for all responses coming from CMS.

Though it worked, looking for a better way to handle this.

skonka
  • 117
  • 1
  • 10

1 Answers1

0

  1. Why your CMS is setting a cookie? Does it need sessions to provide those files?

    Usually static files do not need a session. One should allow them to be cached on proxies and on the client.

    Configure your CMS appropriately. If it is a web application, you may add a Filter that removes Set-Cookie header from its responses (like you are doing on your LB).

  2. It is possible to change the name of a session cookie. This is configurable using <session-config>/<cookie-config>/<name> element in web.xml in web applications that adhere to Servlet 3.0 (or later) specification.

    (It is also configurable as sessionCookieName attribute on Context element in META-INF/context.xml, but using web.xml is the recommended way).

  3. Note that Cookies can have a Path attribute. A browser won't send a cookie if its Path does not match the URL of the request. Cookies with Path:/web and Path:/content can happily co-exist together.

    Tomcat supports requests that have several JSESSIONID cookies. It just chooses the one that matches an existing session. All the others are ignored.

Konstantin Kolinko
  • 3,854
  • 1
  • 13
  • 21