tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kief Morris <k...@bitbull.com>
Subject Re: Newbie question: How does Tomcat implement HttpSession?
Date Tue, 06 Feb 2001 13:42:32 GMT
david.svanberg@kentor.se typed the following on 01:10 PM 2/6/2001 +0100
>Our load balancer supports two ways of keeping the state of the sessions
>between requests, ip source (all clients from the same subnet will be redirected
>to that Tomcat server) and cookie based (a little more flexible approach), that
>is if the client allows cookies. To enable cookie based load balancing in our Load
>Balancer I have to know the name of the cookie being set and my question is - how
>does Tomcat implement HttpSession? Is this done by setting up a cookie?

It does it according to the Servlet specifications, which you might find
interesting. Check out the 2.2 final spec, which Tomcat 3.x uses:

http://java.sun.com/products/servlet/download.html#specs

Tomcat 4.0 (currently in beta) uses the 2.3 specification.

> If so, what is the name of that cookie 

JSESSIONID

>and what data differentiates this cookie from the one
>generated from other tomcat servers (are they unique?)? I mean, if it's
>just a number sequences always starting from 1 with every restart of the Tomcat
>server you can't grant the sessions to be redirected to the correct server. 

The data of the cookie is a unique, randomly generated string. I'm not sure
what you mean about not being able to grant the sessions. The cookie value
should absolutely NOT be predictable, otherwise crackers would run rampant
over your users. 

I haven't researched how load balancers handle cookies in detail. My
understanding is that knowing the name of the cookie should be enough:
the balancer should be able to use the value to identify users and direct
them to the same server on each subsequent request.

What load balancer are you using?

>I have tried figuring this out by snooping the request without luck. Please
>help.

You might also try poking around through the source code. One of the best
things about open source is that you can always roll up your sleeves and
pop the hood to see what's really going on.

Kief


Mime
View raw message