Comments on: Handling J2EE session with cookies disabled

By: Andrew Mercer

Andrew Mercer — Mon, 22 Jan 2007 06:45:00 +0000

I am also experiencing problems with session variables in a clusted environment.

With my test code, cookies on for the cluster URL - all fine. Disable cookies - session lost.

Go to either instance directly (via port) with cookies disabled it is fine, ie session stays.

CFMX 702 Ent
Win 2003
J2ee vars - sticky on

By: Arpita

Arpita — Tue, 19 Dec 2006 03:18:00 +0000

Nice to read all of ur discussion..
I am also facing one Jsessionid problem while IT security testing.
telnet our site then
pass the parameters like that

POST /sonystyle/searchsonystyle.do HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Host: www.sonystyle.com.sg
Cookie: JSESSIONID="
Content-Length: 10

query=sony

if JSESSIONID value is "
then I am getting error.
how to handle this JSESSIONID ?

By: Dawesi

Dawesi — Fri, 22 Sep 2006 01:27:00 +0000

Nice one bro. Thanks for the heads up!

By: Joerg Zimmer

Joerg Zimmer — Thu, 21 Sep 2006 07:23:00 +0000

Hi again

You’re right. 2 Webservers with Coldfusion behind a Software Loadbalancer (ldirectord). The load balancer is able to handle sticky sessions.. but it’s not turned on at the moment…

Both connectors have the cluster connected.. not a node.. this should be ok.

Joerg

By: Rupesh Kumar

Rupesh Kumar — Wed, 20 Sep 2006 17:23:00 +0000

Hi Joerg,
What kind of load balancer are you using? Is it a hardware loadbalancer or software loadbalancer?
As I understand, you have a cluster of two cf nodes each of them behind a webserver using a connector. So actually you have two webservers with a load balancer in front. Is that correct?
If it is, then please check if the loadbalancer supports the sticky session concept. If it does then I think it might be a better idea to enable that.
Are both the connectors aware of both the cluster nodes? Let me check with JRun guys here if that would work or if there are any issues there. I know for sure that when connector is used as a load balancer then it does route the request proeprly maintaining session stickiness.
Rupesh

By: Joerg Zimmer

Joerg Zimmer — Wed, 20 Sep 2006 11:54:00 +0000

Hi Rupesh…
sorry for responding so late…
The site is faced to external users and the proxy is located somewhere on client-side…

I discovered something new…
We currently run a site in a subframe of our customers website… Because our site runs under a differnt domain, IE security settings forbid cookies from our site.
So we have a similar scenario here… This site runs on our CFMX 7.0.2 Cluster with 2 Nodes and a load-balancer in front of the webservers…
While usere where klicking around in our site, it seemed that with every click there was a new session generated for the user.
Even urlsessionformat did not resolve this…
Our Cluster ran with sticky sessions and session-replication turned off. I thought that the connector would handle the sticky-sessions and always use the same cfmx node for one session. But obviously it didn’t – turning on session-replication solved this problem…

Are the connectors on the 2 webservers unable to interchange sticky-session data? maybe the load-balancer in front of the cluster should have user-persistent routing turned on…
Did I put this clear? Better an example

user requests page
load balancer routes him to server1
connector on server1 routes him to server1
session is created on server1

user requests next page
load balancer routes him to server2
connector on server2 routes him to server2
new session is created on server2 because sessionid is unknown

user requests next page
load balancer routes him to server1
connector on server1 routes him to server1
new session is created on server1 because sessionid is unknown again.

By: Rupesh Kumar

Rupesh Kumar — Fri, 15 Sep 2006 12:19:00 +0000

Hi Joerg,
When cookies are enabled, session is tracked using cookies and urltoken will not be used by the server in that case.
It seems to me that it was a badly configured proxy. A proxy should never cache dynamic content and should only cache the static pages like html and images.
Was it a proxy in your company and faced by intranet users? or some external customers reported it to you?

Rupesh.

By: Joerg Zimmer

Joerg Zimmer — Fri, 15 Sep 2006 07:14:00 +0000

hi rupesh...
this is exactly what I did in a project lately...
but I ran into a problem:
urlsessionformat() only rewrites the url if the client has cookies disabled... so most of the time your url would just look like "test.cfm"

This shouldn't be a problem, but I got informed that in some cases users got to see pages filled with other user's data.
Seems that these pages got cached by the company-proxy...
After appending the default #session.urltoken# everything worked just fine...
Did I miss to adjust something or what was it?!

greetings

Joerg Zimmer

By: Rupesh Kumar

Rupesh Kumar — Wed, 13 Sep 2006 08:03:00 +0000

Oh yes. thanks. edited.

By: Anonymous

Anonymous — Tue, 12 Sep 2006 19:55:00 +0000

Good to know about this technique – thanx! Might not want to assign to a variable called ‘url’ tho’ since it is a scope…