Solved

User logon on load balanced servers

Posted on 2004-04-15
7
385 Views
Last Modified: 2011-10-03
Hello,

I want to build a user login module but sessions and cookies don't seem to work. I think it has something to do with the load balancing between different servers.

How do i implement sessions on load balanced servers ?
I don't want to user client-side scripting(js cookies) because of security issues.

FYI
 - Apache server
 - Apache Tomcat/4.1.27 through ajp13 connector
 - don't have access to the server configuration

 
0
Comment
Question by:Xyleen
  • 4
  • 3
7 Comments
 
LVL 7

Accepted Solution

by:
searlas earned 80 total points
ID: 10831729
You need to make sure your load-balancer is sticky.  i.e. if you have two servers, and a user logs in to server A, it's not point maintaining a session on server A if the load balanacer sends the users next request to server B.

Apart from configuring the load balancer correctly, there need not be any differences between a JSP running on one server, and a JSP running on a node in a cluster...

If you're not using Cookies then you need to use URL rewriting, but that still requriest the load balancer to be configured correctly. See HttpServletResponse.encodeURL and HttpServletResponse.encodeRedirectURL




0
 

Author Comment

by:Xyleen
ID: 10831897
I cannot configure the load balancer myself.
Is there anyway i can keep the user on the same server through jsp ?
0
 
LVL 7

Expert Comment

by:searlas
ID: 10832636
Assuming your load balancer properly hides the ip address of the servers, the answer is no.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:Xyleen
ID: 10832959
euhm, anyone another idea ?
0
 
LVL 7

Expert Comment

by:searlas
ID: 10834434
OK, you start of by saying you *think* it has something to do with load balancing servers.

What code are you trying, what behavior are you expecting, what behavior are you seeing?

Try the JSP below.  The first time you load it you should see 'Created new session', but when clicking reload (the HTML anchor) you should see 'Session already exists'.  Try this a few more times to check whether the load balancer is sticky or not.  If it's working correctly you should only see 'Created new session' once.

test.jsp:
<% if ( request.getSession(false) == null || request.getSession().isNew() ) { %>
Created new session: <%= request.getSession().getId() %>
<% } else { %>
Session already exists: <%= request.getSession().getId() %>
<% } %>
<a href="<%= response.encodeURL(request.getRequestURL().toString()) %>">reload</a>

0
 

Author Comment

by:Xyleen
ID: 10839758
Searlas,

Of course this code works because
<a href="<%= response.encodeURL(request.getRequestURL().toString()) %>">reload</a>
gives a href to the loadbalanced server. At least in my case

When i test the code and i go to let's say http://www.mydomain.com/testSession.jsp
the <a href = filled with http://www.loadbalancedserver1.ip/testSession.jsp

so when i click the link of course it works :)
when i refresh the page with F5 it creates a new session every time

So the sticky bit option is not on.
I think it's best to contact my system administrator and ask him to reconfigure the load balancer.


Thanks for the help, i'll give you the points
0
 
LVL 7

Expert Comment

by:searlas
ID: 10840199
Thanks for the points, but you've missed the point of the test.jsp.
encodeURL puts a session id in the URL if (and only if) it is required.  From your original question you said that sessions and cookies don't seem to work.  The fact that href does not have ?JSESSIONID=xxxxxwhateverxxxxx appended to the end of it indicates the application server thinks your browser can maintain the session using cookies (no idea how it determines this.)

The purpose of the test was to ensure the application server makes every possible attempt to return a session id to the browser.  Clicking the 'reload' in the href (not the browser) would then ensure the session id was sent back to the server on the next request, and SHOULD mean you see 'Session already exists'.

You say 'Of course the code works' indicating it behaves as it should (one 'Created new session' message followed by multiple 'Session already exists' messages.)  If this is the case, youre load balancer is configured correctly and is sticky, as required.

From the javadoc:

encodeURL

public java.lang.String encodeURL(java.lang.String url)
Encodes the specified URL by including the session ID in it, or, if encoding is not needed, returns the URL unchanged. The implementation of this method includes the logic to determine whether the session ID needs to be encoded in the URL. For example, if the browser supports cookies, or session tracking is turned off, URL encoding is unnecessary.

For robust session tracking, all URLs emitted by a servlet should be run through this method. Otherwise, URL rewriting cannot be used with browsers which do not support cookies.
Parameters:
url - the url to be encoded.
Returns:
the encoded URL if encoding is needed; the unchanged URL otherwise.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Jquery ajax file upload not working 11 172
best way to search/remove a file from an EAR file 3 109
IE doesn't Invoke servlet in iframe 1 111
own marker interface 1 55
Does your audience prefer people in photos or no people? How can you best highlight what you’re selling? What are your competitors doing, and what can you do that is different and unique from them?  Continue reading to learn how to make your images …
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question