Search code examples
tomcatcookiesjbossload-balancingjsessionid

How to dispatch 2 subsequent requests without a cookie to the same JBoss node?

How to dispatch 2 subsequent requests without a cookie from the same client to the same JBoss node?

I have a multi-node setup with Apache, JBoss7 (with load balancing, sticky session and SSO) and Tomcat. Here is the scenario:

  1. User enters https:///myapp on the browser
  2. Load balancer dispatches it to node1, on the myapp.ear file.
  3. Since there is no authentication yet, myapp loads the unprotected client_redirect.jsp resource, which creates a JSESSIONID and returns to the client. The HTTP Response has the header Set-Cookie:JSESSIONID=1234_.node1; Path=/myapp
  4. The "empty" page below* is loaded on the browser; the onload event handler changes the URL to https:///home/?app=myapp and another request is sent. HOWEVER, IT DOES NOT CONTAIN THE JSESSIONID cookie
  5. server receives the 2nd request and, due to round-robin policy, dispatches it to node2, on main.ear file
  6. main loads the unprotected login.jsp resource, which creates another JSESSIONID and returns to the client. The HTTP Response has the SET-COOKIE header as Set-Cookie:JSESSIONID=5678_.node2; Path=/
  7. Login page is loaded, but now we have 2 JSESSIONID COOKIES on the browser, pointing to different nodes, which will lead to SSO issues after login, when we redirect to https://<ip>/myapp again

* "Empty" client_redirect page:

    <html>
        <script type="text/javascript"> 
            window.onload = function() { 
                window.location.replace('../../home/?app=myapp');    
            }
        </script> 
    </html>
Solution

  • Here is the solution a friend suggested:

    We don't need 2 JSESSIONID cookies, so we shouldn't create them in the 1st place. myapp should setup the web.xml file as follow, so both main and myapp can share the same session.

    <session-config>
    <cookie-config>
        <path>/</path>
    </cookie-config>
</session-config>

    Related links: