Sharing tomcat session across two contexts in the same domain

Question

I need to develop 2 backend applications both running on the same parent domain, the two services will need to share the sessions (login to A means user is logged into B and same for logout).

For now, I plan to host them in same tomcat but in different contexts (2 war files) to have complete isolation (main reason being that two services will be developed by different squads and we do not want any dependency for releases and two services may also have different performance requirements in the long term).

In our current architecture only with one service, we use "Session cookie" and HttpSession to do the session management, authentication logic is in a Servlet filter. Since the two backend apps share the same domain, I should be able to use the "same session cookie", based on my tests, I can see that browser is sending cookie to both the services.

To enable session sharing, following the answer from another question (Sharing session data between contexts in Tomcat), I tried the following in context.xml of tomcat:

<Valve className="org.apache.catalina.valves.PersistentValve"/>
<Manager className="org.apache.catalina.session.PersistentManager">
    <Store className="org.apache.catalina.session.FileStore" directory="${catalina.base}/temp/sessions"/>
</Manager>

...

The above trick did the job for login, tomcat re-used the session from ServiceA for ServiceB. I could also see that session was persisted on the desk (I eventually plan to move to REDIS). But after I logout using the URL of service A (https://example.com/serviceA/logout), I'm logged out from serviceA, but I noticed that I could still access end points of serviceB and tomcat session was still there on the disk. After I logged out specifically from serviceB https://example.com/serviceB/logout, I was properly logged out from ServiceB.

This is what, I do in the logout handling:

    HttpSession session = request.getSession(false);
    if (session != null) {
        // Invalidate the cookies
        Cookie[] cookieArray = request.getCookies();
        if (cookieArray != null)
        {
            for (Cookie c : cookieArray) {
                c.setMaxAge(0);
                response.addCookie(c);
            }
        }
        // Invalidate the session
        session.invalidate();
  }

I'm totally confused, am I in the right direction? How is it possible that if tomcat is sharing the same session, logout isn't propagated to the other context?

"I need to develop 2 backend applications both running on the same parent domain, the two services will need to share the sessions (login to A means user is logged into B and same for logout).", If it's about authentication why not just use SAML ? — Zeko, Feb 17 '23 at 08:42
we get "SAML" response from our IDP server and use that to persist the session with HttpSession in tomcat, it is not just about "authenticating one", it is about the session persistence (so called sticky sessions)? Normally, other cleaner solution would be to have a "reverse-proxy" in front, but that will mean a big rewrite of the existing security code — Nitesh, Feb 17 '23 at 08:52

Sharing tomcat session across two contexts in the same domain

0 Answers0