[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


sessions on servers with fallover

Posted on 2006-07-20
Medium Priority
Last Modified: 2011-09-20
I'm working on a large project at the moment that will eventually be run on multiple servers (round robin) and some servers will have fallover to a second server. When the user visits the site they are given a session id from the server, say for example that the server now died and the other server took over on the same ip address. The user then loads another page on the server (not realising that its just fallen over to another server), the browser will send the session id to the server.

My question is - what happens next ?!?

From what I can work out there are only 3 options -
1) the server ignores the session id from the browser and gives it a new one
2) the server takes on the session id from the browser and re-creates the session on the server using that id
3) there is an error (probably given by the server saying "invalid session id".

I imagine this same thing happens with firefox lots as the sessionsaver plugin saves the session id, and then gives it back to the browser next time you view that page ? , so the server has to deal with the session id being different than the one it wants to give then.

I'd think this would be the same on all servers/clients - but I need the answer for both Firefox and IE, and the server is running apache2 and php5 (or will be by the time we get the fallover in place !).


Tom Chapman
Question by:tomcee
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Expert Comment

ID: 17147497
Your backup server wouldn't  know the client seeion ID if it was given from previous server.   If it is J2EE project,  to handle these 3 options  depends on how you program it .  You have to check if session is valid by using isRequestedSessionIdValid() wherever you try to getSeesion.  The getSession(true) is also can create new sessin if if there is no current session.

Accepted Solution

SimonBlake earned 1500 total points
ID: 17147534
The behavior between FF and IE will be the same as they "don't care" about what web server is serving the pages, only the content that is coming from them - they only have responsibility to pass back header/cookie/url and form data...

From my experiance however, if a session doesn't exist on the server, and you pass it a session id, it will simply create a new memory space for it (can't remember if it will re-use the id passed to it, I think it will if it's in the same format) - but the session will be empty of all you user data!!!

Btw. If the session does exist already and you send it from another browser, you can hijack another persons session!!!! This is often used in cross site scripting attacks as IIS does not check the originating IP address/browser header etc... Just assumes it's valid coz it has a valid ID!!!!

What I think you need in your situation is not a round robin or wolfpack server tier but a full network load balanced(WLS/NLB) service that shares sessions between hosts. It's a bit more complicated to setup as it requires double network points between the hosts themselves to share the info as well as the public network card you will talk too.



Expert Comment

ID: 17147545
Opps just saw the PHP/Apache comment - ignore my comments about IIS

Author Comment

ID: 17147760
Thinking about it more I think we have decided to keep as much as possible in the database and use our own session id in a cookie. When the server does fall over the stuff in the session variables will be fine that its not there on the second server as it'll be re-created if its needed (as will most of the website - but thats a different matter !).
If I was to create my own session id using cookies then if the server changed (by it falling over to another server) then is there anything to stop me getting that session id using normal cookie stuff ?
i.e. does the server somehow validate the cookie given to the ip address using apache ? (only asking this since you said that iis doesnt validate the session id, would it be php itself that validates the ip to the phpsesid ?)
We were thinking in depth about this earlier and realised that someone could easily change ip (wireless lan waking through town, or a load ballanced internet connection in an office ?) so we dont want the session id validated by ip. I think we have decided to use our own session id, and an encrypted validation string so we can verify that the session is in fact from the correct browser.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction Since I wrote the original article about Handling Date and Time in PHP and MySQL several years ago, it seemed like now was a good time to update it for object-oriented PHP.  This article does that, replacing as much as possible the pr…
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question