You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Nikita Tovstoles <ni...@gmail.com> on 2010/07/01 00:20:57 UTC
using Servlet Filter to rewrite domain of JSESSIONID cookie?
I'd like to make session cookie domain-wide, and ignore subdomains - in
Tomcat 6. So for app reachable via my.site.com and www.site.com, I'd like to
have session cookie's domain be ".site.com". I thought of doing so using a
ServletResponseWrapper and a servlet Filter:
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException,
ServletException
{
if (!(response instanceof
SessionCookieDomainSettingServletResponseWrapper))
{
response = new
SessionCookieDomainSettingServletResponseWrapper((HttpServletResponse)
response);
}
chain.doFilter(request, response);
}
and in wrapper:
@Override
public void addCookie(Cookie cookie)
{
if (cookie != null && SESSION_COOKIE_NAME.equals(cookie.getName()))
{
// update domain name to just the domain
stripSubDomain(cookie);
}
super.addCookie(cookie);
}
However, JSESSIONID continues to be set to FQ host name ("my.site.com").
Is it because Tomcat internals do not use HttpServletResponse.addCookie() to
set JSESSIONID or is that cookie set before filter chain gets executed?
If so, sounds like Filter is (sadly) not applicable for this case, and I
have to create a custom Valve? Any tips on how to
wrap org.apache.catalina.connector.Response - valve.invoke() does not take
HttpServletResponse...
thanks
-nikita
RE: using Servlet Filter to rewrite domain of JSESSIONID cookie?
Posted by Ralph Carlson <RA...@mediacomcc.com>.
can you extend org.apache.catalina.connector.Response adding the HttpResponse object and its getter/setter
and call that before valve.invoke()
also depending on what you are putting in your cookie and if the users are logging on or not (you could also use ipaddress but that is flaky is they are using proxies) I usually just put the custom user settings in a database now as most virus scanner and malware scanner keep removing my users cookies anyway
________________________________________
From: users-return-214168-RACARLSON=mediacomcc.com@tomcat.apache.org [users-return-214168-RACARLSON=mediacomcc.com@tomcat.apache.org] On Behalf Of Nikita Tovstoles [nikita.tovstoles@gmail.com]
Sent: Wednesday, June 30, 2010 6:20 PM
To: Tomcat Users List
Subject: using Servlet Filter to rewrite domain of JSESSIONID cookie?
I'd like to make session cookie domain-wide, and ignore subdomains - in
Tomcat 6. So for app reachable via my.site.com and www.site.com, I'd like to
have session cookie's domain be ".site.com". I thought of doing so using a
ServletResponseWrapper and a servlet Filter:
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException,
ServletException
{
if (!(response instanceof
SessionCookieDomainSettingServletResponseWrapper))
{
response = new
SessionCookieDomainSettingServletResponseWrapper((HttpServletResponse)
response);
}
chain.doFilter(request, response);
}
and in wrapper:
@Override
public void addCookie(Cookie cookie)
{
if (cookie != null && SESSION_COOKIE_NAME.equals(cookie.getName()))
{
// update domain name to just the domain
stripSubDomain(cookie);
}
super.addCookie(cookie);
}
However, JSESSIONID continues to be set to FQ host name ("my.site.com").
Is it because Tomcat internals do not use HttpServletResponse.addCookie() to
set JSESSIONID or is that cookie set before filter chain gets executed?
If so, sounds like Filter is (sadly) not applicable for this case, and I
have to create a custom Valve? Any tips on how to
wrap org.apache.catalina.connector.Response - valve.invoke() does not take
HttpServletResponse...
thanks
-nikita
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: using Servlet Filter to rewrite domain of JSESSIONID cookie?
Posted by Nikita Tovstoles <ni...@gmail.com>.
Yep, I realized as much and went exactly that route. However, i still think
that altering (broadening) domain of JSESSIONID cookie is worthwhile.
However, after looking at Tomcat src, it appears that creating a delegate
for the internal Request is surprisingly non-trivial as there are protected
fields in that class. And wrapping a delegate around ServletResponse is
useless, because JSESSIONID cookie is added using an internal method (and
not HttpServletResponse.addCookie). oh well...
-nikita
On Thu, Jul 1, 2010 at 5:59 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Nikita,
>
> On 7/1/2010 6:37 PM, Nikita Tovstoles wrote:
> > I borrowed "sub-domain" from Google Analytics terminology. I have one
> > server, running one tomcat instance with one virtual host. That host is
> > running one app - a JS/html widget that is embedded on multiple sites.
> >
> > We need to track usage per-deployment (per site embedding the wiget). For
> > (google) analytics purposes, the easiest way to do so is to have a
> different
> > (sub)domain per deployment. So the same tomcat instance is responding to
> > requests for site1.widget.com, site2.widget.com, etc.
> >
> > a user may interact with 2 widget deployed on 2 different sites (and thus
> > served from different (sub)domains) within 30 minutes. It is for this
> case
> > that we want user to share the same HttpSession:
> >
> > - go to some site A where our widget is deployed at site1.widget.com
> > - go to some other site B where our widget is deployed at
> site2.widget.com
> > - reuse the same JSESSIONID because its' domain is set to ".widget.com"
>
> This sounds like a job for a non-JSESSIONID cookie that is created from
> your own code.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkwtOg0ACgkQ9CaO5/Lv0PDlagCfTBxbqDKGE4bmQZG3R2ScYnsC
> oN8Aniy2zW1cIhEab+18E7DvqPC3UsnF
> =N0Qc
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: using Servlet Filter to rewrite domain of JSESSIONID cookie?
Posted by André Warnier <aw...@ice-sa.com>.
Pid wrote:
> On 02/07/2010 08:31, André Warnier wrote:
>> Christopher Schultz wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Nikita,
>>>
>>> On 7/1/2010 6:37 PM, Nikita Tovstoles wrote:
>>>> I borrowed "sub-domain" from Google Analytics terminology. I have one
>>>> server, running one tomcat instance with one virtual host. That host is
>>>> running one app - a JS/html widget that is embedded on multiple sites.
>>>>
>>>> We need to track usage per-deployment (per site embedding the wiget).
>>>> For
>>>> (google) analytics purposes, the easiest way to do so is to have a
>>>> different
>>>> (sub)domain per deployment. So the same tomcat instance is responding to
>>>> requests for site1.widget.com, site2.widget.com, etc.
>>>>
>>>> a user may interact with 2 widget deployed on 2 different sites (and
>>>> thus
>>>> served from different (sub)domains) within 30 minutes. It is for this
>>>> case
>>>> that we want user to share the same HttpSession:
>>>>
>>>> - go to some site A where our widget is deployed at site1.widget.com
>>>> - go to some other site B where our widget is deployed at
>>>> site2.widget.com
>>>> - reuse the same JSESSIONID because its' domain is set to ".widget.com"
>>> This sounds like a job for a non-JSESSIONID cookie that is created from
>>> your own code.
>>>
>> +1
>>
>> But I am still lost as to what you are calling "sites" and "subdomains"
>> and "deployed at site1.widget.com".
>> If I follow the explanation above, you have something like this :
>> <Host name="localhost" appBase="webapps">
>> <Alias>site1.widget.com</Alias>
>> <Alias>site2.widget.com</Alias>
>> <Alias>site3.widget.com</Alias>
>> <Alias>site4.widget.com</Alias>
>> ...
>> </Host>
>
> You can omit the aliases and just rely on the defaultHost setting in
> Engine to route all requests to a specific Host.
>
I know, but I am trying to get a grip of what the OP means by sites etc..
This is to try to figure out if, apart from modifying the domain of the JSESSIONID cookie
(which seems difficult), there is a better solution to the OP's underlying issue (Google
Analytics).
Maybe this thing can be solved by a simple servlet filter, or UrlRewriteFilter, or some
dispatching servlet, or having the application do a getHostName() or ..
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: using Servlet Filter to rewrite domain of JSESSIONID cookie?
Posted by Pid <pi...@pidster.com>.
On 02/07/2010 08:31, André Warnier wrote:
> Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Nikita,
>>
>> On 7/1/2010 6:37 PM, Nikita Tovstoles wrote:
>>> I borrowed "sub-domain" from Google Analytics terminology. I have one
>>> server, running one tomcat instance with one virtual host. That host is
>>> running one app - a JS/html widget that is embedded on multiple sites.
>>>
>>> We need to track usage per-deployment (per site embedding the wiget).
>>> For
>>> (google) analytics purposes, the easiest way to do so is to have a
>>> different
>>> (sub)domain per deployment. So the same tomcat instance is responding to
>>> requests for site1.widget.com, site2.widget.com, etc.
>>>
>>> a user may interact with 2 widget deployed on 2 different sites (and
>>> thus
>>> served from different (sub)domains) within 30 minutes. It is for this
>>> case
>>> that we want user to share the same HttpSession:
>>>
>>> - go to some site A where our widget is deployed at site1.widget.com
>>> - go to some other site B where our widget is deployed at
>>> site2.widget.com
>>> - reuse the same JSESSIONID because its' domain is set to ".widget.com"
>>
>> This sounds like a job for a non-JSESSIONID cookie that is created from
>> your own code.
>>
> +1
>
> But I am still lost as to what you are calling "sites" and "subdomains"
> and "deployed at site1.widget.com".
> If I follow the explanation above, you have something like this :
> <Host name="localhost" appBase="webapps">
> <Alias>site1.widget.com</Alias>
> <Alias>site2.widget.com</Alias>
> <Alias>site3.widget.com</Alias>
> <Alias>site4.widget.com</Alias>
> ...
> </Host>
You can omit the aliases and just rely on the defaultHost setting in
Engine to route all requests to a specific Host.
p
> Is that it ?
> And if so, where is the widget-webapp deployed (on disk), and how many
> times really ?
>
> I am not trying to be a pedant, just to make sure I understand the
> layout, so that we might maybe come up with a suggestion to solve your
> problem (even if it is not by changing the JSESSIONID cookie domain)
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: using Servlet Filter to rewrite domain of JSESSIONID cookie?
Posted by André Warnier <aw...@ice-sa.com>.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Nikita,
>
> On 7/1/2010 6:37 PM, Nikita Tovstoles wrote:
>> I borrowed "sub-domain" from Google Analytics terminology. I have one
>> server, running one tomcat instance with one virtual host. That host is
>> running one app - a JS/html widget that is embedded on multiple sites.
>>
>> We need to track usage per-deployment (per site embedding the wiget). For
>> (google) analytics purposes, the easiest way to do so is to have a different
>> (sub)domain per deployment. So the same tomcat instance is responding to
>> requests for site1.widget.com, site2.widget.com, etc.
>>
>> a user may interact with 2 widget deployed on 2 different sites (and thus
>> served from different (sub)domains) within 30 minutes. It is for this case
>> that we want user to share the same HttpSession:
>>
>> - go to some site A where our widget is deployed at site1.widget.com
>> - go to some other site B where our widget is deployed at site2.widget.com
>> - reuse the same JSESSIONID because its' domain is set to ".widget.com"
>
> This sounds like a job for a non-JSESSIONID cookie that is created from
> your own code.
>
+1
But I am still lost as to what you are calling "sites" and "subdomains" and "deployed at
site1.widget.com".
If I follow the explanation above, you have something like this :
<Host name="localhost" appBase="webapps">
<Alias>site1.widget.com</Alias>
<Alias>site2.widget.com</Alias>
<Alias>site3.widget.com</Alias>
<Alias>site4.widget.com</Alias>
...
</Host>
Is that it ?
And if so, where is the widget-webapp deployed (on disk), and how many times really ?
I am not trying to be a pedant, just to make sure I understand the layout, so that we
might maybe come up with a suggestion to solve your problem (even if it is not by changing
the JSESSIONID cookie domain)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: using Servlet Filter to rewrite domain of JSESSIONID cookie?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nikita,
On 7/1/2010 6:37 PM, Nikita Tovstoles wrote:
> I borrowed "sub-domain" from Google Analytics terminology. I have one
> server, running one tomcat instance with one virtual host. That host is
> running one app - a JS/html widget that is embedded on multiple sites.
>
> We need to track usage per-deployment (per site embedding the wiget). For
> (google) analytics purposes, the easiest way to do so is to have a different
> (sub)domain per deployment. So the same tomcat instance is responding to
> requests for site1.widget.com, site2.widget.com, etc.
>
> a user may interact with 2 widget deployed on 2 different sites (and thus
> served from different (sub)domains) within 30 minutes. It is for this case
> that we want user to share the same HttpSession:
>
> - go to some site A where our widget is deployed at site1.widget.com
> - go to some other site B where our widget is deployed at site2.widget.com
> - reuse the same JSESSIONID because its' domain is set to ".widget.com"
This sounds like a job for a non-JSESSIONID cookie that is created from
your own code.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwtOg0ACgkQ9CaO5/Lv0PDlagCfTBxbqDKGE4bmQZG3R2ScYnsC
oN8Aniy2zW1cIhEab+18E7DvqPC3UsnF
=N0Qc
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: using Servlet Filter to rewrite domain of JSESSIONID cookie?
Posted by Nikita Tovstoles <ni...@gmail.com>.
I borrowed "sub-domain" from Google Analytics terminology. I have one
server, running one tomcat instance with one virtual host. That host is
running one app - a JS/html widget that is embedded on multiple sites.
We need to track usage per-deployment (per site embedding the wiget). For
(google) analytics purposes, the easiest way to do so is to have a different
(sub)domain per deployment. So the same tomcat instance is responding to
requests for site1.widget.com, site2.widget.com, etc.
a user may interact with 2 widget deployed on 2 different sites (and thus
served from different (sub)domains) within 30 minutes. It is for this case
that we want user to share the same HttpSession:
- go to some site A where our widget is deployed at site1.widget.com
- go to some other site B where our widget is deployed at site2.widget.com
- reuse the same JSESSIONID because its' domain is set to ".widget.com"
Make sense?
On Thu, Jul 1, 2010 at 3:07 PM, André Warnier <aw...@ice-sa.com> wrote:
> Nikita Tovstoles wrote:
>
>> thanks for the pointers. However, emptySessionPath - from what I can tell
>> -
>> only deals with paths (not domain). how could I use it do ignore
>> subdomains?
>>
>>
>> What I do not really understand in all this, is what the point is, of
> having the same JSESSIONID (and by extension, I suppose, session) for
> different domains.
> (And I find the term "sub-domain" confusing, apart from the fact that
> technically, there is no such thing).
> If you have 2 hosts a.somedomain.com and b.somedomain.com, they could be
> virtual hosts inside the same tomcat, but they could also be entirely
> distinct hosts with two separate Tomcat's, and the client would/should never
> know.
> So having the same "session" covering the two hosts does not seem to make
> sense, to me at least.
> I can understand storing some other information into a separate cookie,
> which would be valid for the whole somedomain.com, but the session-id ?
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: using Servlet Filter to rewrite domain of JSESSIONID cookie?
Posted by André Warnier <aw...@ice-sa.com>.
Nikita Tovstoles wrote:
> thanks for the pointers. However, emptySessionPath - from what I can tell -
> only deals with paths (not domain). how could I use it do ignore
> subdomains?
>
>
What I do not really understand in all this, is what the point is, of having the same
JSESSIONID (and by extension, I suppose, session) for different domains.
(And I find the term "sub-domain" confusing, apart from the fact that technically, there
is no such thing).
If you have 2 hosts a.somedomain.com and b.somedomain.com, they could be virtual hosts
inside the same tomcat, but they could also be entirely distinct hosts with two separate
Tomcat's, and the client would/should never know.
So having the same "session" covering the two hosts does not seem to make sense, to me at
least.
I can understand storing some other information into a separate cookie, which would be
valid for the whole somedomain.com, but the session-id ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: using Servlet Filter to rewrite domain of JSESSIONID cookie?
Posted by Nikita Tovstoles <ni...@gmail.com>.
thanks for the pointers. However, emptySessionPath - from what I can tell -
only deals with paths (not domain). how could I use it do ignore
subdomains?
On Thu, Jul 1, 2010 at 2:07 AM, Rainer Jung <ra...@kippdata.de> wrote:
> On 01.07.2010 03:26, Christopher Schultz wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Nikita,
>>
>> On 6/30/2010 6:20 PM, Nikita Tovstoles wrote:
>>
>>> I'd like to make session cookie domain-wide, and ignore subdomains - in
>>> Tomcat 6.
>>>
>>
>> You could use the emptySessionPath="true" setting in your<Connector>.
>>
>> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
>>
>
> The next version of Tomcat 6 to be released will contain configuration
> options for changing the domain, path and name. Those options will be part
> of the context element and described on the docs page linked above.
>
> The vote for 6.0.28 is happening now, so if nothing bad is found we will
> have that release in a few days.
>
> You can already grab and test it:
>
> http://people.apache.org/~jfclere/tomcat-6/v6.0.28/
>
> WARNING: this is not yet an official release! wait for the official release
> before using it in production.
>
> Regards,
>
> Rainer
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: using Servlet Filter to rewrite domain of JSESSIONID cookie?
Posted by Rainer Jung <ra...@kippdata.de>.
On 01.07.2010 03:26, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Nikita,
>
> On 6/30/2010 6:20 PM, Nikita Tovstoles wrote:
>> I'd like to make session cookie domain-wide, and ignore subdomains - in
>> Tomcat 6.
>
> You could use the emptySessionPath="true" setting in your<Connector>.
>
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
The next version of Tomcat 6 to be released will contain configuration
options for changing the domain, path and name. Those options will be
part of the context element and described on the docs page linked above.
The vote for 6.0.28 is happening now, so if nothing bad is found we will
have that release in a few days.
You can already grab and test it:
http://people.apache.org/~jfclere/tomcat-6/v6.0.28/
WARNING: this is not yet an official release! wait for the official
release before using it in production.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: using Servlet Filter to rewrite domain of JSESSIONID cookie?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nikita,
On 6/30/2010 6:20 PM, Nikita Tovstoles wrote:
> I'd like to make session cookie domain-wide, and ignore subdomains - in
> Tomcat 6.
You could use the emptySessionPath="true" setting in your <Connector>.
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
> So for app reachable via my.site.com and www.site.com, I'd like to
> have session cookie's domain be ".site.com". I thought of doing so using a
> ServletResponseWrapper and a servlet Filter:
A filter won't work, as the cookie is (typically) created at the Valve
level, before your filter has a chance to run.
> However, JSESSIONID continues to be set to FQ host name ("my.site.com").
If you use a properly-configured Valve that does roughly the same thing,
I think it'll work.
> Is it because Tomcat internals do not use HttpServletResponse.addCookie() to
> set JSESSIONID or is that cookie set before filter chain gets executed?
Definitely the latter, but possibly also the former: the authenticator
valve might call methods directly on the non-spec Request object,
instead of a ServletRequest object.
> If so, sounds like Filter is (sadly) not applicable for this case, and I
> have to create a custom Valve? Any tips on how to
> wrap org.apache.catalina.connector.Response - valve.invoke() does not take
> HttpServletResponse...
See the handy configuration parameter above and save yourself a lot of
headache.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkwr7qgACgkQ9CaO5/Lv0PDX2gCgw6h+ShBbsh+eA8weblUdcVBg
LmsAoIDhIneS/KWhhgZ6ed1+zF82tnAD
=OMFW
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org