Geek Answers Handbook

Failed to work with jboss cluster session replication (multiple jsessionid cookies)

I am trying to authenticate in my web application deployed on jboss running in cluster mode with two nodes.

After successful authentication, I am redirected to the administration page, where the filter checks if I am registered.

In offline mode, it works fine, but when I deploy in a production process that uses cluster mode, the filter rejects my request because it cannot access the session settings that I set during authentication.

Using developer tools, I see that there are three JSESSIONID cookies: one for / , one for the /myapplication , the other JSESSIONID-34234 for the /myapplication (I cleared all of them before starting the process).

Looking at jboss docs, I see no explanation, although this seems to be the source of my problem.

How can I get authentication work (I use http spring based authentication) in my JBoss cluster?

+7
session-cookies session-variables jboss session-replication load-balancing
source share
2 answers

Solved by enabling a sticky session by adding the following to the virtualhost configuration file:

 Header add Set-Cookie "ROUTEID=.%{BALANCER_WORKER_ROUTE}e; path=/myapplication" env=BALANCER_ROUTE_CHANGED <Proxy balancer://jboss6-hc-001-8109> BalancerMember ajp://jboss2.imatiasl.lan:8109 route=jboss2-hc-001-server-02 BalancerMember ajp://jboss3.imatiasl.lan:8109 route=jboss3-hc-001-server-02 ProxySet lbmethod=byrequests stickysession=ROUTEID </Proxy>
+3
source share

Web session clustering should work if:

  • You have included <distributed/> in web.xml .
  • Application server group uses ha or full-ha profile

If you want your clustered application to work better, consider implementing a good load balancing policy. For most webapps, load balancing with sticky sessions is fine.

In some web applications, it is enough not to require re-authentication in the event of a failure or session, it is very easy to restore if authentication information is available. In such cases, you do not even need to cluster web sessions. Clustered SSO is enough, the caveat is that you will have to use container-level protection for authentication (most likely, spring-security is supported). This way, only authentication information is replicated, so you will need to develop session data management in order to be resistant to situations when the session suddenly becomes empty.

+2
source share

More articles:


All Articles