Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

User logon on load balanced servers

Posted on 2004-04-15
7
Medium Priority
?
396 Views
Last Modified: 2011-10-03
Hello,

I want to build a user login module but sessions and cookies don't seem to work. I think it has something to do with the load balancing between different servers.

How do i implement sessions on load balanced servers ?
I don't want to user client-side scripting(js cookies) because of security issues.

FYI
 - Apache server
 - Apache Tomcat/4.1.27 through ajp13 connector
 - don't have access to the server configuration

 
0
Comment
Question by:Xyleen
  • 4
  • 3
7 Comments
 
LVL 7

Accepted Solution

by:
searlas earned 320 total points
ID: 10831729
You need to make sure your load-balancer is sticky.  i.e. if you have two servers, and a user logs in to server A, it's not point maintaining a session on server A if the load balanacer sends the users next request to server B.

Apart from configuring the load balancer correctly, there need not be any differences between a JSP running on one server, and a JSP running on a node in a cluster...

If you're not using Cookies then you need to use URL rewriting, but that still requriest the load balancer to be configured correctly. See HttpServletResponse.encodeURL and HttpServletResponse.encodeRedirectURL




0
 

Author Comment

by:Xyleen
ID: 10831897
I cannot configure the load balancer myself.
Is there anyway i can keep the user on the same server through jsp ?
0
 
LVL 7

Expert Comment

by:searlas
ID: 10832636
Assuming your load balancer properly hides the ip address of the servers, the answer is no.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:Xyleen
ID: 10832959
euhm, anyone another idea ?
0
 
LVL 7

Expert Comment

by:searlas
ID: 10834434
OK, you start of by saying you *think* it has something to do with load balancing servers.

What code are you trying, what behavior are you expecting, what behavior are you seeing?

Try the JSP below.  The first time you load it you should see 'Created new session', but when clicking reload (the HTML anchor) you should see 'Session already exists'.  Try this a few more times to check whether the load balancer is sticky or not.  If it's working correctly you should only see 'Created new session' once.

test.jsp:
<% if ( request.getSession(false) == null || request.getSession().isNew() ) { %>
Created new session: <%= request.getSession().getId() %>
<% } else { %>
Session already exists: <%= request.getSession().getId() %>
<% } %>
<a href="<%= response.encodeURL(request.getRequestURL().toString()) %>">reload</a>

0
 

Author Comment

by:Xyleen
ID: 10839758
Searlas,

Of course this code works because
<a href="<%= response.encodeURL(request.getRequestURL().toString()) %>">reload</a>
gives a href to the loadbalanced server. At least in my case

When i test the code and i go to let's say http://www.mydomain.com/testSession.jsp
the <a href = filled with http://www.loadbalancedserver1.ip/testSession.jsp

so when i click the link of course it works :)
when i refresh the page with F5 it creates a new session every time

So the sticky bit option is not on.
I think it's best to contact my system administrator and ask him to reconfigure the load balancer.


Thanks for the help, i'll give you the points
0
 
LVL 7

Expert Comment

by:searlas
ID: 10840199
Thanks for the points, but you've missed the point of the test.jsp.
encodeURL puts a session id in the URL if (and only if) it is required.  From your original question you said that sessions and cookies don't seem to work.  The fact that href does not have ?JSESSIONID=xxxxxwhateverxxxxx appended to the end of it indicates the application server thinks your browser can maintain the session using cookies (no idea how it determines this.)

The purpose of the test was to ensure the application server makes every possible attempt to return a session id to the browser.  Clicking the 'reload' in the href (not the browser) would then ensure the session id was sent back to the server on the next request, and SHOULD mean you see 'Session already exists'.

You say 'Of course the code works' indicating it behaves as it should (one 'Created new session' message followed by multiple 'Session already exists' messages.)  If this is the case, youre load balancer is configured correctly and is sticky, as required.

From the javadoc:

encodeURL

public java.lang.String encodeURL(java.lang.String url)
Encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary.

For robust session tracking, all URLs emitted by a servlet should be run through this method. Otherwise, URL rewriting cannot be used with browsers which do not support cookies.
Parameters:
url - the url to be encoded.
Returns:
the encoded URL if encoding is needed; the unchanged URL otherwise.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Machine Learning is one of the profound applications of AI and therefore, just like AI, it is surrounded by myths and fears. Check out these facts about ML that demystify the related myths.
The deadly train derailment that occurred recently in DuPont, Washington, raises a lot of questions. It was a new route, the first trip tested with passengers, and the train was travelling at 50 mph over the zone’s speed limit. Could IoT play a role…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Loops Section Overview
Suggested Courses

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question