6

Is it possible to override Tomcat's embedded generator of JSESSIONID, to be able to create custom values of this cookie, based on user's login?

Why do I need this: I have a load balancer with "sticky sessions", configured to route requests with the same JSESSIONID to the same server, and I want to prevent situation, when same user can start two different sessions on different servers.

P.S: all this is about Amazon EC2

Illarion Kovalchuk
  • 5,774
  • 8
  • 42
  • 54
  • I'd be interested to know what is the effect on your app if the user manages to start two different sessions on different machines, Vs. two different sessions on the same machine – Ryan Fernandes May 24 '10 at 05:35
  • It is a good question. 2 sessions on 2 machines for different users is better for total system performance, than 2 sessions on 1 machine, but for the same user it is better to have both sessions on the same machine, because they will have shared data. – Illarion Kovalchuk May 25 '10 at 12:25
  • I'm no security expert, but doesn't this open holes for CSRF / Session hijack attacks? Ie., All I need is your generated JSESSION cookie value to impersonate the user. – Marty Pitt Apr 10 '12 at 01:19

2 Answers2

4

There is a better way to do this: See the tomcat manual on session replication in cluster

Bozho
  • 588,226
  • 146
  • 1,060
  • 1,140
  • This mechanism uses IP multicast, which is impossible, as I know, within Amazon EC2, where my application is currently running. There are also good examples of clustering applications, but all of them need servers to know each other, which is not so good. I would like the LB be the only part of system, who knows tomcat instances. – Illarion Kovalchuk May 14 '10 at 12:23
  • 1
    well, perhaps you should have told that it's about EC2 ? – Bozho May 14 '10 at 12:40
2

You can do so by defining your own customized session manager,

http://tomcat.apache.org/tomcat-5.5-doc/config/manager.html

However, it probably doesn't work for your use-case. You don't know username before user logs in but the session needs to be created for the login.

I think pushing session to the backend is the best approach. You can use the JDBCStore session manager distributed with Tomcat. You can also find implementation for memecached.

If the purpose of multiple servers is for redundancy, you can also use clustering but that doesn't help you if your goal is to scale for load.

ZZ Coder
  • 74,484
  • 29
  • 137
  • 169
  • I've solved this by switching from session id to my own generated cookie USERID, which is actually a hash from login. I also wander, what if it would be some SERVERID ? – Illarion Kovalchuk May 14 '10 at 13:32