How apache or mod_jk validate a session is created or not ? and session is valid or not ? and Session id is valid or not ? How apache handles sessions ?
Apache doesn't interfere (or do any "validation") with the JSESSIONID cookie at all. It simply propagates everything from the client to tomcat, and from tomcat back to the client.
Related
I am not quite clear about the idea whether the Kestrel server needs to be encrypted as a localhost server.
I use Apache with HTTPS as the proxy server for Kestrel server. Does it require to run https in Kestrel as well? In theory, what passes through the Apache proxy server (HTTPS enabled) should be encrypted, right?
Please shed some light if you have any ideas.
No, you don't have to encrypt the traffic between Apache and Kestrel. The apache (or nginx or IIS) will be the SSL termination point.
However what you need to make sure is
that Apache correctly sets the forwarded headers (x-forwarded-* headers)
kestrel is correctly configured to use these headers (UseIISIntegration already does that) or register the app.UseForwardedHeaders(); middleware which also registers them
Without either one, your requests will fail if the controllers/actions are marked with [RequireHttps] attribute
My Apache Tomcat is running behind an Apache httpd web server connected via mod_jk.
When a browser requests https page (rather than http) as its first session request, Tomcat sends a session cookie with secure flag which makes user's logged in session unavailable for http pages later.
How can I remove session cookies' secure flag using mod_header?
I already tried to add an option into web.xml like below.
<session-config>
<cookie-config>
<secure>false</secure>
</cookie-config>
</session-config>
However, it doesn't work. I guess this option doesn't make servlet request not secure, and Tomcat will put the secure flag on session cookies unless both context's session config and servlet request are not secure.
Here is my own solution added to httpd-vhost.conf for now:
Header edit* Set-Cookie "(JSESSIONID=.*)(; Secure)" "$1"
I'm trying to setup Apache as a load balancer for 2 Tomcat instances with session affinity.
The goal is to have the session stick to one server but to have next session (when it's changed by the backend server) to go to the next available server (let's say using round-robin algorithm for easier implementation). When using the "jvmRoute" in Tomcat and an equivalent "route" in Apache the actual value that does the routing is the route name which does not change and all requests are routed always to the same backend server for a single client.
I found out so far that there's an chicken/egg problem when using just the JSESSIONID cookie. Let's consider the following setup:
2 Tomcat servers listening on ports 8009 and 8010 (AJP13)
1 Apache server with the following configuration
<Proxy balancer://hello-cluster>
BalancerMember ajp://127.0.0.1:8009/hello
BalancerMember ajp://127.0.0.1:8010/hello
</Proxy>
ProxyPass /hello balancer://hello-cluster stickysession=JSESSIONID
And here's the scenario:
The first request has no cookie so Apache selects the next available server in the load balancer to handle the request.
The backend Tomcat server sets JSESSIONID but does not note the actual value being returned.
The next request comes in, Apache notes that there's no backend server noted for the given JSESSIONID so it selects the next available, which in this case the other one as served the first request
Tomcat notices that the value of JSESSIONID is invalid so it creates a new one.
Apache does not take a note that the JSESSIONID has changed to pin it down to that backend server.
Back to pt. 3
Is there a way to convince Apache to note the value returned by Tomcat?
maybe if you try with tomcat session replication. I found this interesting post:
http://www.bradchen.com/blog/2012/12/tomcat-auto-failover-using-apache-memcached
.
You could try too with redis:
http://shivganesh.com/2013/08/15/setup-redis-session-store-apache-tomcat-7/
Let me know your experience please.
I'm using one Apache HTTPD and multiple Tomcats as the load balancing solution. The session sticky is based on JSESSIONID cookie. I have two questions that really need your help.
1) Tomcat version is 7, cookies can be shared with subdomains. The domain looks like this:
en.mydomain.com
es.mydomain.com
it.mydomain.com
Configured in context.xml
<Context sessionCookieDomain=".mydomain.com" sessionCookiePath="/">
Meanwhile, we have staging environment that has sub-sub domains, and cookies can also be shared across the domains below:
en.alpha.mydomain.com
es.alpha.mydomain.com
it.alpha.mydomain.com
Configured in context.xml:
<Context sessionCookieDomain=".alpha.mydomain.com" sessionCookiePath="/">
But sometimes, JSESSIONID cookie can be shared between en.mydomain.com and en.alpha.mydomain.com, which is not expected.
How to resolve this issue? Cookies should not be shared in the different level subdomains.
2) I tried to refresh JSESSIONID cookie for above question, but failed. In Tomcat JSP:
session.invalidate();
session = request.getSession(true);
out.print(session.getId());
JSESSIONID cookie is refreshed when directly accessing this Tomcat JSP, but kept the same when accessing its proxy Apache. Should I modify the mod_proxy etc. to support the JSESSIONID cookie refresh by accessing the Apache URL?
I have a distrubuted cluster system. I have set up apache server and set loadbalancing (mod_jk) conditions. And also sticky session is true mode.
Is it possible that could I send some special requests (after request header control) to all tomcat cluster nodes ? Is there any rule or method ?
There is no need to send back to clients, all nodes be informed from special url is enough. I have configured uriworkermap.properties, there are 3 status(active, disabled, stopped) for loadbalancer nodes. Is there any solution by configuring uriworkermap.properties or workers.properties?
For solution of this problem, suggesting alternatives of mod_jk ?