JSESSIONID cookie has '.node0' postfix while the server side sessionID doesn't

Question

I am using shiro for session management. When I get the sessionID in server side it is something like this:

node0sicwaberf0z59o8qpehfpasf6

However, when I check the JSESSIONID in my browser this value is saved as:

node0sicwaberf0z59o8qpehfpasf6.node0

What exactly is this .node0 and why is this appended to the end of sessionID

It is also worth mentioning that I am using jetty 9 as my web server.

score 2 · Accepted Answer · edited Nov 06 '18 at 11:38

2

The format of the Jetty session id (9.3 and onwards) is worker name (e.g. node0), a randomly generated unique ID (e.g. 123x0dsf) and the .worker name (e.g. .node0) according to org.eclipse.jetty.server.session.DefaultSessionIdManager.

Check DefaultSessionIdManager#renewSessionId and DefaultSessionIdManager#getExtendedId.

edited Nov 06 '18 at 11:38

Suraj Rao

29,388
11
94
103

answered Nov 06 '18 at 11:28

Dio

684
2
9
18

score 2 · Answer 2 · answered May 13 '19 at 07:17

Session management received a significant overhaul in Jetty 9.4. I faced same issue when I upgraded jetty from 9.3.25.x to 9.4.15.x. Due to addition of worker name in JSESSIONID, in my application some header validation that happens outside of Jetty start failing. As i have only single node of jetty, i choose to remove node id from session ID. I managed to remove .node postfix by adding following lines to start.ini

jetty.sessionIdManager.workerName=
etc/sessions/id-manager.xml

By default, Jetty 9.4.x will instantiate a single instance of the DefaultSessionIdManager and HouseKeeper at startup with default settings. Above configuration overwrites workerName in default configuration.

Reference

score 1 · Answer 3 · answered Jan 17 '19 at 11:51

I know it's late, but maybe it will help somebody.

I'm using maven-jetty-plugin (9.4.6.v20170531), end experience similar issue - Session.getId() returns one value, but ServletContainer actionally set JSESSIONID cookie to value+'.node0'.

I do not use clustering in any way, and no configuration at all. This is default behaviour of jetty server.

I managed to remove .node postfix by adding following lines to jetty-env.xml:

<Get name="sessionHandler">
  <Call name="getServer" id="srv"></Call>
  <Set name="sessionIdManager">
    <New class="org.eclipse.jetty.server.session.DefaultSessionIdManager">
        <Arg><Ref refid="srv" /></Arg> 
        <Set name="workerName" type="String"></Set>
    </New>
  </Set>
</Get>

Here is related source code of DefaultSessionIdManager

score 0 · Answer 4 · answered Oct 09 '17 at 19:26

0

This is a jetty session id, you can read a little more about it here: http://jetty.4.x6.nabble.com/Some-questions-regarding-upgrade-9-3-gt-9-4-td4966096.html

answered Oct 09 '17 at 19:26

Brian Demers

2,051
1
9
12

JSESSIONID cookie has '.node0' postfix while the server side sessionID doesn't

4 Answers4