sessions on servers with fallover

Posted on 2006-07-20
Last Modified: 2011-09-20
I'm working on a large project at the moment that will eventually be run on multiple servers (round robin) and some servers will have fallover to a second server. When the user visits the site they are given a session id from the server, say for example that the server now died and the other server took over on the same ip address. The user then loads another page on the server (not realising that its just fallen over to another server), the browser will send the session id to the server.

My question is - what happens next ?!?

From what I can work out there are only 3 options -
1) the server ignores the session id from the browser and gives it a new one
2) the server takes on the session id from the browser and re-creates the session on the server using that id
3) there is an error (probably given by the server saying "invalid session id".

I imagine this same thing happens with firefox lots as the sessionsaver plugin saves the session id, and then gives it back to the browser next time you view that page ? , so the server has to deal with the session id being different than the one it wants to give then.

I'd think this would be the same on all servers/clients - but I need the answer for both Firefox and IE, and the server is running apache2 and php5 (or will be by the time we get the fallover in place !).


Tom Chapman
Question by:tomcee
  • 2

Expert Comment

ID: 17147497
Your backup server wouldn't  know the client seeion ID if it was given from previous server.   If it is J2EE project,  to handle these 3 options  depends on how you program it .  You have to check if session is valid by using isRequestedSessionIdValid() wherever you try to getSeesion.  The getSession(true) is also can create new sessin if if there is no current session.

Accepted Solution

SimonBlake earned 500 total points
ID: 17147534
The behavior between FF and IE will be the same as they "don't care" about what web server is serving the pages, only the content that is coming from them - they only have responsibility to pass back header/cookie/url and form data...

From my experiance however, if a session doesn't exist on the server, and you pass it a session id, it will simply create a new memory space for it (can't remember if it will re-use the id passed to it, I think it will if it's in the same format) - but the session will be empty of all you user data!!!

Btw. If the session does exist already and you send it from another browser, you can hijack another persons session!!!! This is often used in cross site scripting attacks as IIS does not check the originating IP address/browser header etc... Just assumes it's valid coz it has a valid ID!!!!

What I think you need in your situation is not a round robin or wolfpack server tier but a full network load balanced(WLS/NLB) service that shares sessions between hosts. It's a bit more complicated to setup as it requires double network points between the hosts themselves to share the info as well as the public network card you will talk too.



Expert Comment

ID: 17147545
Opps just saw the PHP/Apache comment - ignore my comments about IIS

Author Comment

ID: 17147760
Thinking about it more I think we have decided to keep as much as possible in the database and use our own session id in a cookie. When the server does fall over the stuff in the session variables will be fine that its not there on the second server as it'll be re-created if its needed (as will most of the website - but thats a different matter !).
If I was to create my own session id using cookies then if the server changed (by it falling over to another server) then is there anything to stop me getting that session id using normal cookie stuff ?
i.e. does the server somehow validate the cookie given to the ip address using apache ? (only asking this since you said that iis doesnt validate the session id, would it be php itself that validates the ip to the phpsesid ?)
We were thinking in depth about this earlier and realised that someone could easily change ip (wireless lan waking through town, or a load ballanced internet connection in an office ?) so we dont want the session id validated by ip. I think we have decided to use our own session id, and an encrypted validation string so we can verify that the session is in fact from the correct browser.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
TripAdvisor Widgets on WordPress Websites 10 194
Problem to run file 9 126
removing hyperlinks from end-notes in a PDF to HTML conversion 8 107
Element alignment and word wrapping 9 75
When you work with shopping cart / ecommerce relates web sites, you need to pass the certain form post details to the payment gateway process page with required details for the products items you give to order. Also you may need to track the ordered…
Styling your websites can become very complex. Here I'll show how SASS can help you better organize, maintain and reuse your CSS code.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
HTML5 has deprecated a few of the older ways of showing media as well as offering up a new way to create games and animations. Audio, video, and canvas are just a few of the adjustments made between XHTML and HTML5. As we learned in our last micr…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question