You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by da...@kentor.se on 2001/02/06 13:10:09 UTC

Newbie question: How does Tomcat implement HttpSession?

Our load balancer supports two ways of keeping the state of the sessions
between
requests, ip source (all clients from the same subnet will be redirected
to that
Tomcat server) and cookie based (a little more flexible approach), that
is if the
client allows cookies. To enable cookie based load balancing in our Load
Balancer
I have to know the name of the cookie being set and my question is - how
does
Tomcat implement HttpSession? Is this done by setting up a cookie? If
so, what is
the name of that cookie and what data differentiates this cookie from
the one
generated from other tomcat servers (are they unique?)? I mean, if it's
just a
number sequences always starting from 1 with every restart of the Tomcat
server
you can't grant the sessions to be redirected to the correct server. I
have
tried figuring this out by snooping the request without luck. Please
help.


---------- ----------------- -----------------
| Client | | Load Balancer | | Tomcat 3.1 #1 | - cookie keeping session
id?
---------- ----------------- -----------------
                             -----------------
                             | Tomcat 3.1 #2 |
                             -----------------
                             -----------------
                             | Tomcat 3.1 #n |
                             -----------------


Regards,
David

Re: Newbie question: How does Tomcat implement HttpSession?

Posted by Kief Morris <ki...@bitbull.com>.

david.svanberg@kentor.se typed the following on 01:10 PM 2/6/2001 +0100
>Our load balancer supports two ways of keeping the state of the sessions
>between requests, ip source (all clients from the same subnet will be redirected
>to that Tomcat server) and cookie based (a little more flexible approach), that
>is if the client allows cookies. To enable cookie based load balancing in our Load
>Balancer I have to know the name of the cookie being set and my question is - how
>does Tomcat implement HttpSession? Is this done by setting up a cookie?

It does it according to the Servlet specifications, which you might find
interesting. Check out the 2.2 final spec, which Tomcat 3.x uses:

http://java.sun.com/products/servlet/download.html#specs

Tomcat 4.0 (currently in beta) uses the 2.3 specification.

> If so, what is the name of that cookie 

JSESSIONID

>and what data differentiates this cookie from the one
>generated from other tomcat servers (are they unique?)? I mean, if it's
>just a number sequences always starting from 1 with every restart of the Tomcat
>server you can't grant the sessions to be redirected to the correct server. 

The data of the cookie is a unique, randomly generated string. I'm not sure
what you mean about not being able to grant the sessions. The cookie value
should absolutely NOT be predictable, otherwise crackers would run rampant
over your users. 

I haven't researched how load balancers handle cookies in detail. My
understanding is that knowing the name of the cookie should be enough:
the balancer should be able to use the value to identify users and direct
them to the same server on each subsequent request.

What load balancer are you using?

>I have tried figuring this out by snooping the request without luck. Please
>help.

You might also try poking around through the source code. One of the best
things about open source is that you can always roll up your sleeves and
pop the hood to see what's really going on.

Kief