Solved

User logon on load balanced servers

Posted on 2004-04-15
7
381 Views
Last Modified: 2011-10-03
Hello,

I want to build a user login module but sessions and cookies don't seem to work. I think it has something to do with the load balancing between different servers.

How do i implement sessions on load balanced servers ?
I don't want to user client-side scripting(js cookies) because of security issues.

FYI
 - Apache server
 - Apache Tomcat/4.1.27 through ajp13 connector
 - don't have access to the server configuration

 
0
Comment
Question by:Xyleen
  • 4
  • 3
7 Comments
 
LVL 7

Accepted Solution

by:
searlas earned 80 total points
ID: 10831729
You need to make sure your load-balancer is sticky.  i.e. if you have two servers, and a user logs in to server A, it's not point maintaining a session on server A if the load balanacer sends the users next request to server B.

Apart from configuring the load balancer correctly, there need not be any differences between a JSP running on one server, and a JSP running on a node in a cluster...

If you're not using Cookies then you need to use URL rewriting, but that still requriest the load balancer to be configured correctly. See HttpServletResponse.encodeURL and HttpServletResponse.encodeRedirectURL




0
 

Author Comment

by:Xyleen
ID: 10831897
I cannot configure the load balancer myself.
Is there anyway i can keep the user on the same server through jsp ?
0
 
LVL 7

Expert Comment

by:searlas
ID: 10832636
Assuming your load balancer properly hides the ip address of the servers, the answer is no.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:Xyleen
ID: 10832959
euhm, anyone another idea ?
0
 
LVL 7

Expert Comment

by:searlas
ID: 10834434
OK, you start of by saying you *think* it has something to do with load balancing servers.

What code are you trying, what behavior are you expecting, what behavior are you seeing?

Try the JSP below.  The first time you load it you should see 'Created new session', but when clicking reload (the HTML anchor) you should see 'Session already exists'.  Try this a few more times to check whether the load balancer is sticky or not.  If it's working correctly you should only see 'Created new session' once.

test.jsp:
<% if ( request.getSession(false) == null || request.getSession().isNew() ) { %>
Created new session: <%= request.getSession().getId() %>
<% } else { %>
Session already exists: <%= request.getSession().getId() %>
<% } %>
<a href="<%= response.encodeURL(request.getRequestURL().toString()) %>">reload</a>

0
 

Author Comment

by:Xyleen
ID: 10839758
Searlas,

Of course this code works because
<a href="<%= response.encodeURL(request.getRequestURL().toString()) %>">reload</a>
gives a href to the loadbalanced server. At least in my case

When i test the code and i go to let's say http://www.mydomain.com/testSession.jsp
the <a href = filled with http://www.loadbalancedserver1.ip/testSession.jsp

so when i click the link of course it works :)
when i refresh the page with F5 it creates a new session every time

So the sticky bit option is not on.
I think it's best to contact my system administrator and ask him to reconfigure the load balancer.


Thanks for the help, i'll give you the points
0
 
LVL 7

Expert Comment

by:searlas
ID: 10840199
Thanks for the points, but you've missed the point of the test.jsp.
encodeURL puts a session id in the URL if (and only if) it is required.  From your original question you said that sessions and cookies don't seem to work.  The fact that href does not have ?JSESSIONID=xxxxxwhateverxxxxx appended to the end of it indicates the application server thinks your browser can maintain the session using cookies (no idea how it determines this.)

The purpose of the test was to ensure the application server makes every possible attempt to return a session id to the browser.  Clicking the 'reload' in the href (not the browser) would then ensure the session id was sent back to the server on the next request, and SHOULD mean you see 'Session already exists'.

You say 'Of course the code works' indicating it behaves as it should (one 'Created new session' message followed by multiple 'Session already exists' messages.)  If this is the case, youre load balancer is configured correctly and is sticky, as required.

From the javadoc:

encodeURL

public java.lang.String encodeURL(java.lang.String url)
Encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary.

For robust session tracking, all URLs emitted by a servlet should be run through this method. Otherwise, URL rewriting cannot be used with browsers which do not support cookies.
Parameters:
url - the url to be encoded.
Returns:
the encoded URL if encoding is needed; the unchanged URL otherwise.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

In  today’s increasingly digital world, managed service providers (MSPs) fight for their customers’ attention, looking for ways to make them stay and purchase more services. One way to encourage that behavior is to develop a dependable brand of prod…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now