Solved

sessions on servers with fallover

Posted on 2006-07-20
4
187 Views
Last Modified: 2011-09-20
I'm working on a large project at the moment that will eventually be run on multiple servers (round robin) and some servers will have fallover to a second server. When the user visits the site they are given a session id from the server, say for example that the server now died and the other server took over on the same ip address. The user then loads another page on the server (not realising that its just fallen over to another server), the browser will send the session id to the server.

My question is - what happens next ?!?

From what I can work out there are only 3 options -
1) the server ignores the session id from the browser and gives it a new one
2) the server takes on the session id from the browser and re-creates the session on the server using that id
3) there is an error (probably given by the server saying "invalid session id".

I imagine this same thing happens with firefox lots as the sessionsaver plugin saves the session id, and then gives it back to the browser next time you view that page ? , so the server has to deal with the session id being different than the one it wants to give then.

I'd think this would be the same on all servers/clients - but I need the answer for both Firefox and IE, and the server is running apache2 and php5 (or will be by the time we get the fallover in place !).

Thanks.


Tom Chapman
0
Comment
Question by:tomcee
  • 2
4 Comments
 
LVL 9

Expert Comment

by:owenli27
ID: 17147497
Your backup server wouldn't  know the client seeion ID if it was given from previous server.   If it is J2EE project,  to handle these 3 options  depends on how you program it .  You have to check if session is valid by using isRequestedSessionIdValid() wherever you try to getSeesion.  The getSession(true) is also can create new sessin if if there is no current session.
0
 
LVL 7

Accepted Solution

by:
SimonBlake earned 500 total points
ID: 17147534
The behavior between FF and IE will be the same as they "don't care" about what web server is serving the pages, only the content that is coming from them - they only have responsibility to pass back header/cookie/url and form data...

From my experiance however, if a session doesn't exist on the server, and you pass it a session id, it will simply create a new memory space for it (can't remember if it will re-use the id passed to it, I think it will if it's in the same format) - but the session will be empty of all you user data!!!

Btw. If the session does exist already and you send it from another browser, you can hijack another persons session!!!! This is often used in cross site scripting attacks as IIS does not check the originating IP address/browser header etc... Just assumes it's valid coz it has a valid ID!!!!

What I think you need in your situation is not a round robin or wolfpack server tier but a full network load balanced(WLS/NLB) service that shares sessions between hosts. It's a bit more complicated to setup as it requires double network points between the hosts themselves to share the info as well as the public network card you will talk too.

S.

0
 
LVL 7

Expert Comment

by:SimonBlake
ID: 17147545
Opps just saw the PHP/Apache comment - ignore my comments about IIS
0
 

Author Comment

by:tomcee
ID: 17147760
Thinking about it more I think we have decided to keep as much as possible in the database and use our own session id in a cookie. When the server does fall over the stuff in the session variables will be fine that its not there on the second server as it'll be re-created if its needed (as will most of the website - but thats a different matter !).
If I was to create my own session id using cookies then if the server changed (by it falling over to another server) then is there anything to stop me getting that session id using normal cookie stuff ?
i.e. does the server somehow validate the cookie given to the ip address using apache ? (only asking this since you said that iis doesnt validate the session id, would it be php itself that validates the ip to the phpsesid ?)
We were thinking in depth about this earlier and realised that someone could easily change ip (wireless lan waking through town, or a load ballanced internet connection in an office ?) so we dont want the session id validated by ip. I think we have decided to use our own session id, and an encrypted validation string so we can verify that the session is in fact from the correct browser.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Shoutout to Emily Plummer (http://www.experts-exchange.com/members/eplummer26.html) for giving me this article! She did most of it, I just finished it up and posted it for her :)    Introduction In a previous article (http://www.experts-exchang…
Introduction Since I wrote the original article about Handling Date and Time in PHP and MySQL (http://www.experts-exchange.com/articles/201/Handling-Date-and-Time-in-PHP-and-MySQL.html) several years ago, it seemed like now was a good time to updat…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now