sessions on servers with fallover

Posted on 2006-07-20
Last Modified: 2011-09-20
I'm working on a large project at the moment that will eventually be run on multiple servers (round robin) and some servers will have fallover to a second server. When the user visits the site they are given a session id from the server, say for example that the server now died and the other server took over on the same ip address. The user then loads another page on the server (not realising that its just fallen over to another server), the browser will send the session id to the server.

My question is - what happens next ?!?

From what I can work out there are only 3 options -
1) the server ignores the session id from the browser and gives it a new one
2) the server takes on the session id from the browser and re-creates the session on the server using that id
3) there is an error (probably given by the server saying "invalid session id".

I imagine this same thing happens with firefox lots as the sessionsaver plugin saves the session id, and then gives it back to the browser next time you view that page ? , so the server has to deal with the session id being different than the one it wants to give then.

I'd think this would be the same on all servers/clients - but I need the answer for both Firefox and IE, and the server is running apache2 and php5 (or will be by the time we get the fallover in place !).


Tom Chapman
Question by:tomcee
  • 2

Expert Comment

ID: 17147497
Your backup server wouldn't  know the client seeion ID if it was given from previous server.   If it is J2EE project,  to handle these 3 options  depends on how you program it .  You have to check if session is valid by using isRequestedSessionIdValid() wherever you try to getSeesion.  The getSession(true) is also can create new sessin if if there is no current session.

Accepted Solution

SimonBlake earned 500 total points
ID: 17147534
The behavior between FF and IE will be the same as they "don't care" about what web server is serving the pages, only the content that is coming from them - they only have responsibility to pass back header/cookie/url and form data...

From my experiance however, if a session doesn't exist on the server, and you pass it a session id, it will simply create a new memory space for it (can't remember if it will re-use the id passed to it, I think it will if it's in the same format) - but the session will be empty of all you user data!!!

Btw. If the session does exist already and you send it from another browser, you can hijack another persons session!!!! This is often used in cross site scripting attacks as IIS does not check the originating IP address/browser header etc... Just assumes it's valid coz it has a valid ID!!!!

What I think you need in your situation is not a round robin or wolfpack server tier but a full network load balanced(WLS/NLB) service that shares sessions between hosts. It's a bit more complicated to setup as it requires double network points between the hosts themselves to share the info as well as the public network card you will talk too.



Expert Comment

ID: 17147545
Opps just saw the PHP/Apache comment - ignore my comments about IIS

Author Comment

ID: 17147760
Thinking about it more I think we have decided to keep as much as possible in the database and use our own session id in a cookie. When the server does fall over the stuff in the session variables will be fine that its not there on the second server as it'll be re-created if its needed (as will most of the website - but thats a different matter !).
If I was to create my own session id using cookies then if the server changed (by it falling over to another server) then is there anything to stop me getting that session id using normal cookie stuff ?
i.e. does the server somehow validate the cookie given to the ip address using apache ? (only asking this since you said that iis doesnt validate the session id, would it be php itself that validates the ip to the phpsesid ?)
We were thinking in depth about this earlier and realised that someone could easily change ip (wireless lan waking through town, or a load ballanced internet connection in an office ?) so we dont want the session id validated by ip. I think we have decided to use our own session id, and an encrypted validation string so we can verify that the session is in fact from the correct browser.

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface This article introduces an authentication and authorization system for a website.  It is understood by the author and the project contributors that there is no such thing as a "one size fits all" system.  That being said, there is a certa…
Browsers only know CSS so your awesome SASS code needs to be translated into normal CSS. Here I'll try to explain what you should aim for in order to take full advantage of SASS.
Viewers will learn about arithmetic and Boolean expressions in Java and the logical operators used to create Boolean expressions. We will cover the symbols used for arithmetic expressions and define each logical operator and how to use them in Boole…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question