User logon on load balanced servers

Hello,

I want to build a user login module but sessions and cookies don't seem to work. I think it has something to do with the load balancing between different servers.

How do i implement sessions on load balanced servers ?
I don't want to user client-side scripting(js cookies) because of security issues.

FYI
 - Apache server
 - Apache Tomcat/4.1.27 through ajp13 connector
 - don't have access to the server configuration

 
XyleenAsked:
Who is Participating?
 
searlasConnect With a Mentor Commented:
You need to make sure your load-balancer is sticky.  i.e. if you have two servers, and a user logs in to server A, it's not point maintaining a session on server A if the load balanacer sends the users next request to server B.

Apart from configuring the load balancer correctly, there need not be any differences between a JSP running on one server, and a JSP running on a node in a cluster...

If you're not using Cookies then you need to use URL rewriting, but that still requriest the load balancer to be configured correctly. See HttpServletResponse.encodeURL and HttpServletResponse.encodeRedirectURL




0
 
XyleenAuthor Commented:
I cannot configure the load balancer myself.
Is there anyway i can keep the user on the same server through jsp ?
0
 
searlasCommented:
Assuming your load balancer properly hides the ip address of the servers, the answer is no.
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
XyleenAuthor Commented:
euhm, anyone another idea ?
0
 
searlasCommented:
OK, you start of by saying you *think* it has something to do with load balancing servers.

What code are you trying, what behavior are you expecting, what behavior are you seeing?

Try the JSP below.  The first time you load it you should see 'Created new session', but when clicking reload (the HTML anchor) you should see 'Session already exists'.  Try this a few more times to check whether the load balancer is sticky or not.  If it's working correctly you should only see 'Created new session' once.

test.jsp:
<% if ( request.getSession(false) == null || request.getSession().isNew() ) { %>
Created new session: <%= request.getSession().getId() %>
<% } else { %>
Session already exists: <%= request.getSession().getId() %>
<% } %>
<a href="<%= response.encodeURL(request.getRequestURL().toString()) %>">reload</a>

0
 
XyleenAuthor Commented:
Searlas,

Of course this code works because
<a href="<%= response.encodeURL(request.getRequestURL().toString()) %>">reload</a>
gives a href to the loadbalanced server. At least in my case

When i test the code and i go to let's say http://www.mydomain.com/testSession.jsp
the <a href = filled with http://www.loadbalancedserver1.ip/testSession.jsp

so when i click the link of course it works :)
when i refresh the page with F5 it creates a new session every time

So the sticky bit option is not on.
I think it's best to contact my system administrator and ask him to reconfigure the load balancer.


Thanks for the help, i'll give you the points
0
 
searlasCommented:
Thanks for the points, but you've missed the point of the test.jsp.
encodeURL puts a session id in the URL if (and only if) it is required.  From your original question you said that sessions and cookies don't seem to work.  The fact that href does not have ?JSESSIONID=xxxxxwhateverxxxxx appended to the end of it indicates the application server thinks your browser can maintain the session using cookies (no idea how it determines this.)

The purpose of the test was to ensure the application server makes every possible attempt to return a session id to the browser.  Clicking the 'reload' in the href (not the browser) would then ensure the session id was sent back to the server on the next request, and SHOULD mean you see 'Session already exists'.

You say 'Of course the code works' indicating it behaves as it should (one 'Created new session' message followed by multiple 'Session already exists' messages.)  If this is the case, youre load balancer is configured correctly and is sticky, as required.

From the javadoc:

encodeURL

public java.lang.String encodeURL(java.lang.String url)
Encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary.

For robust session tracking, all URLs emitted by a servlet should be run through this method. Otherwise, URL rewriting cannot be used with browsers which do not support cookies.
Parameters:
url - the url to be encoded.
Returns:
the encoded URL if encoding is needed; the unchanged URL otherwise.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.