I'm using one Apache HTTPD and multiple Tomcats as the load balancing solution. The session sticky is based on JSESSIONID cookie. I have two questions that really need your help.
1) Tomcat version is 7, cookies can be shared with subdomains. The domain looks like this:
en.mydomain.com
es.mydomain.com
it.mydomain.com
Configured in context.xml
<Context sessionCookieDomain=".mydomain.com" sessionCookiePath="/">
Meanwhile, we have staging environment that has sub-sub domains, and cookies can also be shared across the domains below:
en.alpha.mydomain.com
es.alpha.mydomain.com
it.alpha.mydomain.com
Configured in context.xml:
<Context sessionCookieDomain=".alpha.mydomain.com" sessionCookiePath="/">
But sometimes, JSESSIONID cookie can be shared between en.mydomain.com and en.alpha.mydomain.com, which is not expected.
How to resolve this issue? Cookies should not be shared in the different level subdomains.
2) I tried to refresh JSESSIONID cookie for above question, but failed. In Tomcat JSP:
session.invalidate();
session = request.getSession(true);
out.print(session.getId());
JSESSIONID cookie is refreshed when directly accessing this Tomcat JSP, but kept the same when accessing its proxy Apache. Should I modify the mod_proxy etc. to support the JSESSIONID cookie refresh by accessing the Apache URL?
Related
My setup is as follows:
client -> proxy(dnsname eg. https://test.com) -> Jetty webapp(1.2.3.4)
The webapp sends a redirect response back (to an authentication webapp) to the client. It automatically points to the proxy via dnsname eg. https://proxy/auth and cannot be configured further.
The issue with this is the webapp will pass redirects back to the client and the client cannot resolve https://proxy as I can't make it a dns entry. Is it then possible for the proxy to intercept the traffic from the webapp (https://proxy) and change it to https://test.com? Even better can the proxy autodetect the entry dns name and append it to any responses from the webapp?
I'd envisioned the following:
client request https://test.com/page1-> hits proxy which resolves to webapp -> webapp gives redirect response via https://proxy/auth -> proxy intercepts and changes redirect to https://test.com/auth
I need this so that everything behind the proxy isn't machine nor ip specific. I can shift and deploy to any environment.
I figured this out eventually. You can just modify the redirect headers in the location field.
Header edit Location "(^http[s]?://proxy)" "https://whatevernameyouwant"
we have to set cookie-secure directly in weblogic server instead of giving weblogic.xml
<session-descriptor>
<cookie-http-only>true</cookie-http-only>
<cookie-secure>true</cookie-secure>
It sounds like you are trying to have http-only cookies as a default. This is not possible in WebLogic. You could try to add a custom filter class, but you would have to insert this into every web.xml which is just as much of a hassle.
The better option would be to configure this in a web server or layer 7 load balancer that proxies traffic to WebLogic. For a crude example, insert the following in an Apache virtual host config to add the HttpOnly and Secure flags to every set cookie.
Header edit Set-Cookie (.*) "$1; HttpOnly; Secure"
Tomcat in our application is considered back-and side and additionaly we have apache that fronting tomcat server as a reverse proxy and redirect requests to appropriate tomcat instance.
Now we need to set up HTTPS connection between apache proxy and tomcat for specific urls(Login, etc..). Tomcat documentation says that it's possible to achieve this with additional <Connector> within server.xml config.
In order to set up https over login page existing configuration with AJP protocol was replaced with the following:
ProxyPass /app/login/ https://127.0.0.1:6666/app/login/
All other urls specified like below:
ProxyPass /app/anyotherurl/ ajp://127.0.0.1:5555/app/anyotherurl/
With configuration below we expect that secure data (login/password) for login page will be encrypted and all other page will remain unchanged.
After the login apache should use normal ajp protocol because there is no sensetive information any more to protect. But it's not what actually happen in our case because for some reason apache is redirecting us to host specified in ProxyPass, namely to localhost.
This could happen due to the fact that our application while executing login logic on tomcat has two consecutive redirects.
We've tried to set ProxyPreserveHost on within virtual host to fix situation mentioned above, but we are not sure whether it is secure option and this one won't break another pages as well as we are not sure how it will work if tomcat will be located on other machine.
It would be good to know any other solution how such stuff can be applied internally for specific pages.
My Apache Tomcat is running behind an Apache httpd web server connected via mod_jk.
When a browser requests https page (rather than http) as its first session request, Tomcat sends a session cookie with secure flag which makes user's logged in session unavailable for http pages later.
How can I remove session cookies' secure flag using mod_header?
I already tried to add an option into web.xml like below.
<session-config>
<cookie-config>
<secure>false</secure>
</cookie-config>
</session-config>
However, it doesn't work. I guess this option doesn't make servlet request not secure, and Tomcat will put the secure flag on session cookies unless both context's session config and servlet request are not secure.
Here is my own solution added to httpd-vhost.conf for now:
Header edit* Set-Cookie "(JSESSIONID=.*)(; Secure)" "$1"
Currently JSESSIONID is set by xxx.domain.com and I'd like to read the JSESSIONID from yyy.domain.com, so how can I change the JSESSIONID cookie's domain from xxx.domain.com to .domain.com? I'm using Apache as web server. Thanks.