Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

User logon on load balanced servers

Posted on 2004-04-15
7
Medium Priority
?
392 Views
Last Modified: 2011-10-03
Hello,

I want to build a user login module but sessions and cookies don't seem to work. I think it has something to do with the load balancing between different servers.

How do i implement sessions on load balanced servers ?
I don't want to user client-side scripting(js cookies) because of security issues.

FYI
 - Apache server
 - Apache Tomcat/4.1.27 through ajp13 connector
 - don't have access to the server configuration

 
0
Comment
Question by:Xyleen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 7

Accepted Solution

by:
searlas earned 320 total points
ID: 10831729
You need to make sure your load-balancer is sticky.  i.e. if you have two servers, and a user logs in to server A, it's not point maintaining a session on server A if the load balanacer sends the users next request to server B.

Apart from configuring the load balancer correctly, there need not be any differences between a JSP running on one server, and a JSP running on a node in a cluster...

If you're not using Cookies then you need to use URL rewriting, but that still requriest the load balancer to be configured correctly. See HttpServletResponse.encodeURL and HttpServletResponse.encodeRedirectURL




0
 

Author Comment

by:Xyleen
ID: 10831897
I cannot configure the load balancer myself.
Is there anyway i can keep the user on the same server through jsp ?
0
 
LVL 7

Expert Comment

by:searlas
ID: 10832636
Assuming your load balancer properly hides the ip address of the servers, the answer is no.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Xyleen
ID: 10832959
euhm, anyone another idea ?
0
 
LVL 7

Expert Comment

by:searlas
ID: 10834434
OK, you start of by saying you *think* it has something to do with load balancing servers.

What code are you trying, what behavior are you expecting, what behavior are you seeing?

Try the JSP below.  The first time you load it you should see 'Created new session', but when clicking reload (the HTML anchor) you should see 'Session already exists'.  Try this a few more times to check whether the load balancer is sticky or not.  If it's working correctly you should only see 'Created new session' once.

test.jsp:
<% if ( request.getSession(false) == null || request.getSession().isNew() ) { %>
Created new session: <%= request.getSession().getId() %>
<% } else { %>
Session already exists: <%= request.getSession().getId() %>
<% } %>
<a href="<%= response.encodeURL(request.getRequestURL().toString()) %>">reload</a>

0
 

Author Comment

by:Xyleen
ID: 10839758
Searlas,

Of course this code works because
<a href="<%= response.encodeURL(request.getRequestURL().toString()) %>">reload</a>
gives a href to the loadbalanced server. At least in my case

When i test the code and i go to let's say http://www.mydomain.com/testSession.jsp
the <a href = filled with http://www.loadbalancedserver1.ip/testSession.jsp

so when i click the link of course it works :)
when i refresh the page with F5 it creates a new session every time

So the sticky bit option is not on.
I think it's best to contact my system administrator and ask him to reconfigure the load balancer.


Thanks for the help, i'll give you the points
0
 
LVL 7

Expert Comment

by:searlas
ID: 10840199
Thanks for the points, but you've missed the point of the test.jsp.
encodeURL puts a session id in the URL if (and only if) it is required.  From your original question you said that sessions and cookies don't seem to work.  The fact that href does not have ?JSESSIONID=xxxxxwhateverxxxxx appended to the end of it indicates the application server thinks your browser can maintain the session using cookies (no idea how it determines this.)

The purpose of the test was to ensure the application server makes every possible attempt to return a session id to the browser.  Clicking the 'reload' in the href (not the browser) would then ensure the session id was sent back to the server on the next request, and SHOULD mean you see 'Session already exists'.

You say 'Of course the code works' indicating it behaves as it should (one 'Created new session' message followed by multiple 'Session already exists' messages.)  If this is the case, youre load balancer is configured correctly and is sticky, as required.

From the javadoc:

encodeURL

public java.lang.String encodeURL(java.lang.String url)
Encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary.

For robust session tracking, all URLs emitted by a servlet should be run through this method. Otherwise, URL rewriting cannot be used with browsers which do not support cookies.
Parameters:
url - the url to be encoded.
Returns:
the encoded URL if encoding is needed; the unchanged URL otherwise.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Loops Section Overview

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question