axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kishanthan Thangarajah <>
Subject Axis2 ignores cookie values other than JSESSIONID/axis_session
Date Wed, 25 Sep 2013 05:33:24 GMT

Currently in HTTPSenderImpl#obtainHTTPHeaderInformation, the Session Cookie
string is constructed by checking only JSEESIONID/axis_session from
response headers and then adding them as cookie string. It ignores other
values which are coming with Set-Cookie from response headers. This will
cause issues with session stickiness, if a client application tries to call
some services via a load-balancer, where the load-balancer has its own way
of handling session stickiness with its own cookie header.

For example, if the requests are going through an Amazon ELB, it expect a
cookie named as "AWSELB" to identify the correct node. But this will fail,
if the client did not send the that cookie with the request, as axis2
client only sends the JSESSIONID.

As a fix, what I'm proposing is, remove the check for specific values (eg :
JSESSIONID), and set whatever the Set-Cookie values coming
with response headers as the Cookie string value. This will not break any
existing apps because, it does not remove any values rather it adds those
missing values.



View raw message