11

Recently, we have upgraded our application server from JBoss EAP6.2 to EAP7.0.

Even though it runs non-HA profile aka standalone.xml, JBoss adds jboss.node.name at the end of JSESSIONID cookie.

For example,

Spring Boot generates a JSESSIONID as tHSf9v23SSDBMqJ1O7XFJZ9.... and when the request comes to browser, the cookie becomes tHSf9v23SSDBMqJ1O7XFJZ9.master:<jboss.node.name> which causes some compatibility issues.

I've run some experiments by manually calling response.addCookie. In that case, it does not add master suffix to the cookie. However, if Spring itself writes the cookie, it seems that JBoss picks it up and add master suffix. I know this case can be little confusing (it is to me), I'm happy to provide more information.

Bunyamin Coskuner
  • 8,719
  • 1
  • 28
  • 48
  • Its default behavior, I dont think its possible to change. – Abhijit Humbe Dec 11 '18 at 04:28
  • 1
    I know it is by default, but I feel like there should be some way to override this behavior – Bunyamin Coskuner Dec 11 '18 at 06:12
  • Have you tried removing `instance-id` attribute from `` – Atul Dec 12 '18 at 19:50
  • Maybe you find something useful here https://developer.jboss.org/thread/276894 – Ivan Kovbas Dec 14 '18 at 13:45
  • Seems you are not the only one facing this issue... https://developer.jboss.org/thread/171103?_sscc=t – ymz Dec 16 '18 at 15:47
  • I think you should never rely under any circumstances upon the return value of javax.servlet.HttpSession.getId() so you have to generate own session id using org.util.UUID class. – DHARMENDRA SINGH Dec 18 '18 at 05:38
  • @DHARMENDRASINGH it's quite a long story and I cannot change the code right now. I have to fix this issue somehow. I'll try what AtulK suggested – Bunyamin Coskuner Dec 18 '18 at 05:43
  • Removing the instance id will not help as JBoss would simply use the instance id from it's configuration as default. But you can change it into something not meaningful for outsiders. – Queeg Dec 01 '22 at 20:43

2 Answers2

1

An old thread, but for those who still stumble upon it:

In EAP7/Wildfly11+ the session cookie will have a value in form :

<sessionId>.<instanceId>

Where instanceId is taken from Undertow subsystem config attribute instance-id. By default it is going to be set to value of jboss.node.name system property in standalone mode, and to <serverGroup>:<hostname> in domain mode.

You can customize the instanceId value via Undertow subsystem config: Either via standalone.xml:

 <subsystem xmlns="urn:jboss:domain:undertow:3.1" instance-id="${myValue}">

Or via corresponding cli:

/subsystem=undertow:write-attribute(name=instance-id, value=myvalue)

In which case you get a final JSession id that looks sth like this:

JSESSIONID=FdEyt_nZvyAV1gKpQ_3ZsSYeu41JycphvMdHcYeT.myvalue
yntelectual
  • 3,028
  • 18
  • 24
0

The answer from @yntelectual is dead right and should be the accepted answer. I just want to complement the fact that the observed behaviour is not a JBoss speciality.

It was introduced so Apache mod_jk and mod_proxy know which one of several possible application servers is working on a given session, and Apache Tomcat as the reference implementation for servlet containers shows exactly the same behaviour. Other containers such as JBoss, Glassfish, Geronimo do the same.

Check

Queeg
  • 7,748
  • 1
  • 16
  • 42