8

I have UI that is served by two HTTP servers. Therefore I need to clean the HTTP session from both servers. It is simple for the logout use case but not clear for me how to do it for the session timeout use case.

The notification on the server side is possible via HttpSessionBindingListener Getting notification when bounded/unbounded to a HTTP session. But how can I notify the client site about it? I have to send the request from a browser to the second server to be able to clean a session cookie on the second server and therefore I can not send request from the server side.

Added

One server is Tomcat 8, the second server is Apache HTTPD server. I want to solve it via UI callback is possible (from the Tomcat HTTP servlet server).

Community
  • 1
  • 1
Michael
  • 10,063
  • 18
  • 65
  • 104
  • Isn't that more a server configuration? I thought there was a way to configure the servers to share sessions. Can you include more details on the server you're using, including version? – Kieveli Sep 19 '16 at 15:22
  • Good question. I am waiting for more details. I was comparing this approach with Spring Session (clustered: http://docs.spring.io/spring-session/docs/current/reference/html5/#httpsession-redis) which uses an external store like redis to manage clustered sessions. PS: I wish there was a subscribe button on SO for such questions. – code4kix Sep 19 '16 at 15:31
  • Kieveli, I do not want to configure any session sharing. One server is Tomcat 8, the second server is Apache HTTPD server. I want to solve it via UI callback is possible (from the Tomcat HTTP servlet server). code4kix, to subscribe on the question just press on the star button – Michael Sep 21 '16 at 07:24
  • What exactly do you mean by "HTTP session" in the context of the Apache httpd? (mod_session?) Why do you need to explicitly clean it at all - can't you give the session a server-side expiration timestamp and invalidate it upon an attempt to access it? (SessionMaxAge for mod_session) – Phillip Sep 22 '16 at 09:26
  • For example mod_session. I plan to configure the session timeout on the server time. Any case, since it is two sessions and even I configure for the same period of time one session can become invalid while the second is still alive. Therefore I want to clean the Apache session upon the Tomcat session expiration, – Michael Sep 22 '16 at 10:24
  • Implement a `HttpSessionBindingListener` on Tomcat. When this listener is notified of session expiring perform a HTTP request to a URL on the Apache server. Pass the data that is required to identify the session. The program on the Apache server then can end the session for that environment. – Kwebble Sep 28 '16 at 20:17

2 Answers2

4

From Apache HTTPD (Apache) documentation:

Integrating Sessions with External Applications

https://httpd.apache.org/docs/2.4/mod/mod_session.html#integration

  • You can write your own module, then you could use this module to delete sessions after Tomcat deems them expendable.
  • You can use a session database external to both Tomcat and Apache (eg. in MySQL), both servers would validate users with it. Deleting a session would just require deleting the entry from the database.
  • As a standalone application: As the docs state, it is on you to do the work of finding and accessing the session files, breaking them, and editing them. If Tomcat and Apache are on different machines, you could have an agent with a listener on the Apache box, and have Tomcat request the agent delete the session data.
  • Apache usually goes with PHP, and there is also databases around. Both could have their own sessions to handle.
gia
  • 757
  • 5
  • 19
  • I do want to manage sessions via database. Can not find the solution in the answer above – Michael Sep 28 '16 at 06:16
  • 1
    I wont write the code, but again, you will probably want an standalone app running on the apache httpd box (or your fork of apache). Make it listen on a port (sockets or java calls). Whenever tomcat deletes a session, it has to call this program, the program has to delete the matching apache httpd session. No easy framework calls, you have to do everything. – gia Sep 28 '16 at 20:25
  • I need callback via browser. I can develop tons of solution via server side but I need a browser solution – Michael Sep 29 '16 at 05:53
  • If by browser you mean the client's/user's browser. Then you can close both sessions with page requests themselves: mytomcatserver.com/closesession.jsp, myapacheserver.com/closesession,php – gia Sep 29 '16 at 21:12
  • and if you mean a browser but not the client's (yours instead), then you can still make it connect to a standalone app – gia Sep 29 '16 at 21:14
0

There are a couple of approaches you can try.

  1. As mentioned by @Kwebble, on Tomcat session timeout make a call to your Apache server and ask it to logout / invalidate session.

  2. If session times out in Tomcat, UI will get to know about that when it makes any request. Now from UI, make a call to Apache server to logout / invalidate the session.

Community
  • 1
  • 1
Meritor
  • 166
  • 11