sessions on servers with fallover

I'm working on a large project at the moment that will eventually be run on multiple servers (round robin) and some servers will have fallover to a second server. When the user visits the site they are given a session id from the server, say for example that the server now died and the other server took over on the same ip address. The user then loads another page on the server (not realising that its just fallen over to another server), the browser will send the session id to the server.

My question is - what happens next ?!?

From what I can work out there are only 3 options -
1) the server ignores the session id from the browser and gives it a new one
2) the server takes on the session id from the browser and re-creates the session on the server using that id
3) there is an error (probably given by the server saying "invalid session id".

I imagine this same thing happens with firefox lots as the sessionsaver plugin saves the session id, and then gives it back to the browser next time you view that page ? , so the server has to deal with the session id being different than the one it wants to give then.

I'd think this would be the same on all servers/clients - but I need the answer for both Firefox and IE, and the server is running apache2 and php5 (or will be by the time we get the fallover in place !).


Tom Chapman
Who is Participating?
SimonBlakeConnect With a Mentor Commented:
The behavior between FF and IE will be the same as they "don't care" about what web server is serving the pages, only the content that is coming from them - they only have responsibility to pass back header/cookie/url and form data...

From my experiance however, if a session doesn't exist on the server, and you pass it a session id, it will simply create a new memory space for it (can't remember if it will re-use the id passed to it, I think it will if it's in the same format) - but the session will be empty of all you user data!!!

Btw. If the session does exist already and you send it from another browser, you can hijack another persons session!!!! This is often used in cross site scripting attacks as IIS does not check the originating IP address/browser header etc... Just assumes it's valid coz it has a valid ID!!!!

What I think you need in your situation is not a round robin or wolfpack server tier but a full network load balanced(WLS/NLB) service that shares sessions between hosts. It's a bit more complicated to setup as it requires double network points between the hosts themselves to share the info as well as the public network card you will talk too.


Weiping DuSenior Web DeveloperCommented:
Your backup server wouldn't  know the client seeion ID if it was given from previous server.   If it is J2EE project,  to handle these 3 options  depends on how you program it .  You have to check if session is valid by using isRequestedSessionIdValid() wherever you try to getSeesion.  The getSession(true) is also can create new sessin if if there is no current session.
Opps just saw the PHP/Apache comment - ignore my comments about IIS
tomceeAuthor Commented:
Thinking about it more I think we have decided to keep as much as possible in the database and use our own session id in a cookie. When the server does fall over the stuff in the session variables will be fine that its not there on the second server as it'll be re-created if its needed (as will most of the website - but thats a different matter !).
If I was to create my own session id using cookies then if the server changed (by it falling over to another server) then is there anything to stop me getting that session id using normal cookie stuff ?
i.e. does the server somehow validate the cookie given to the ip address using apache ? (only asking this since you said that iis doesnt validate the session id, would it be php itself that validates the ip to the phpsesid ?)
We were thinking in depth about this earlier and realised that someone could easily change ip (wireless lan waking through town, or a load ballanced internet connection in an office ?) so we dont want the session id validated by ip. I think we have decided to use our own session id, and an encrypted validation string so we can verify that the session is in fact from the correct browser.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.