0

I am working on a use-case where I have to redirect between JSF applications deployed on different servers. Kinda login app to main webapp. Initially I have deployed both of these apps on the same server and running them under same domain (localhost).

The two applications are: App A (a login portal) and App B. App A runs at root context e.g. http://localhost:8080/ and App B is at context /app e.g. http://localhost:8080/app/. When I redirect (post login) from App A to App B through a plain POST submit request, App B gets launched under the same browser tab. Upon inspecting session id cookie I see that App B, though a part of different deployment, is sharing same session id as that of App A. The cookie shows the same session id stored under path /. After launching App B, I was expecting a new session. Is it normal, do I need to create a new session explicitly? Or is it happening because I have deployed both apps war files on the same server localhost:8080?

user2918640
  • 473
  • 1
  • 7
  • 25
  • Have you tried something like this: http://stackoverflow.com/questions/9436736/sharing-session-data-between-contexts-in-tomcat? – Jaumzera May 31 '16 at 16:01
  • And this: http://stackoverflow.com/questions/14712626/send-http-post-request-to-external-site-using-hform – Jaumzera May 31 '16 at 16:19
  • I am able to redirect to App B through POST type HTML form `
    ...
    ` submit through a JSF button in my JSF page. Further to sessions, its not that I want to share session among applications App A & App B. I want it otherwise. I want that each application should have its own different independent session under their own context. After redirecting to App B, I see that App B has same session Id. I need to start App B in a new session instead.     – user2918640 May 31 '16 at 17:13
  • The second link shows how you can change the session id cookie scope from `/` to anywhere else. Anyway, as you commented in your question, if the apps will work in separated servers, you don't need to worry about it. You can also invalidate the first app's session before redirecting to the second one. – Jaumzera May 31 '16 at 17:16
  • I am wondering if deploying both apps on the same server has caused same session id for both apps for a user. – user2918640 May 31 '16 at 17:22
  • And I do not want to destroy first app session because of second app. I want to keep App A session alive for 30 minutes as long as browser is not closed. As I said both sessions need to be independent. Looks like, I'll have to test both apps in different server instances this time. – user2918640 May 31 '16 at 17:33
  • Yes, I get it. What I told is that it will depend on context configuration for session id cookie. – Jaumzera May 31 '16 at 18:38

1 Answers1

0

Yes the JSESSIONID will be the same due to both apps being served from the same servletcontainer and interacting with the same browser instance. The same HTTPSession is being utilised by both apps.

For a great in depth explanation check out the reading under the HTTPSession section: How do servlets work? Instantiation, shared variables and multithreading.

Incidentally two separate browsers would access different sessions. Each one would access the server with a new session cookie and hence be given a new HTTPSession from the server. Given that you're launching both apps from within the same browser (even if using separate tab/window of same browser) the session cookie would remain the same and hence access the same HTTPSession.

Community
  • 1
  • 1
Fast Engy
  • 1,913
  • 1
  • 12
  • 10