1

We have one web application that is being built to serve multiple regional web site TLDs. In addition, the web application also supports thousands of dynamic subdomains. Examples include:

www.example.com
www.example.co.uk
www.example.com.ar
fred123.example.co.uk  <== Thousands of this form
fred123.p.example.us   <== Thousands of this form

While we can understand that different domain TLDs result in new sessions a problem starts to appear with the latter 2 examples above which also result in new session instances. For example if a user:

  1. Goes to: www.example.co.uk a new session is created and then...
  2. Clicks on a link: fred123.example.co.uk a new session is created and then...
  3. Clicks on a link: sam99.example.co.uk a new session is created...

3 clicks ==>> 3 sessions!!!!

The problem appears to be due to the fact that GlassFish v3 automatically makes the domain of the JSESSIONID to be the FQDN of the host request.

What is required is that the host name part be stripped off the domain value at the very least to have domains values like:

.example.com
.example.co.uk
.example.com.ar
.example.co.uk  <== Thousands of this form
.p.example.us   <== Thousands of this form

Does anyone know how this can be achieved. I have found the following Q&A however in our case the subdomain TLDs do not all match:

An issue dealing with JSP Session

Ergo the solution of statically configuring the sun-web.xml OR using a Servlet 3.0 solution does not appear to help. Also creating a filter response wrapper does not work either as the JSESSIONID cookie is assigned in the lower levels of the Application server and is not exposed to the Web App to intercept.

The only other two options I think I have are:

a) Patch the GlassFish v3 code that sets JSESSIONID cookie domain value to FQDN so that some stripping occurs OR

b) Doing something in the Sun Web Server 7.0 reverse proxy layer that we have to re-write the JSESSIONID cookie domain value returned in the set-cookie header however I have not been able to find examples on how to do this

Can anyone help resolve this issue? Any clues / help will be very much appreciated!

Community
  • 1
  • 1
nikolaosinlight
  • 193
  • 10
  • Do all these URLs map to a unique webapp? – Pascal Thivent Jul 10 '10 at 21:48
  • Yes. They all map to a one webapp. Initially there will be 8 regional TLDs and later more will be added and as we will have 2 servers LB'd with 6 glassfish instances it starts to become quite unweildly to deploy separate webapps for the purposes of allowing distinct JSESSIONID domain cookie values. Also regardless separate webapps is still a problem for the dynamic domains. Thoughts??? – nikolaosinlight Jul 10 '10 at 23:19
  • Two areas that I am looking at: 1) Some how get Sun Web Server 7.0 RP to re-write the JSESSIONID cookie domain value set in the header response returned from the GlassFish v3 server. Anyone know how? 2) Writing a modified version of the class in GlassFish v3 that determines the FQDN of the JSESSIONID cookie domain value so that it can better set the value. In fact, that is exactly how the cookies in our current code computes its cookie domain value to set the selected / determined domain locale. Anyone know which class in the code I should zero in on? – nikolaosinlight Jul 11 '10 at 01:10

1 Answers1

0

Using Apache and mod_headers to rewrite the cookies? Best way for allowing subdomain session cookies using Tomcat

Community
  • 1
  • 1
mhaller
  • 14,122
  • 1
  • 42
  • 61
  • Sorry - I should have pointed out that we are using Oracle / Sun Web Server 7.0 for the RP layer (I mentioned it in passing at the end of the post but should have been clearer). Our architecture is all Oracle / Sun... and as such adding Apache into the Architecture just to support this aspect will unfortunately not do. Apologies I wasn't clearer in stating that in the original post. Sorry. – nikolaosinlight Jul 10 '10 at 23:23