tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: jk load balancing based upon ip address rather than session id
Date Fri, 13 Jun 2008 18:29:26 GMT

Simon Papillon wrote:
> "as long as the domains have a common part of course"
> Unfortunately in my case that doesn't hold true, its an international
> site, and we've got the same domain names for different  tlds e.g.:
> mydomain.com
> mydomain.com.ar
> 
I am not really a specialist of Tomcat, so I'll stick to try at the 
Apache level for now.  Maybe it will provide an idea of how to do it at 
the Tomcat level anyway.

I imagine that there is a single Apache host, with 3 virtual servers
www.mycompany.com
www.mycompany.co.uk
www.mycompany.ar
and the problem is that a browser will not send a cookie to a server 
whose domain name does not at least partially match.  We can also not 
just set always 3 cookies, because the browser would probably reject a 
cookie that the host "www.mycompany.com" would want to set for the 
domain "mycompany.co.uk".

On the other hand, there must be a way by which you can tell that it is 
the same user that just switched from "www.mycompany.com" to 
"www.mycompany.co.uk".  You were talking previously of some scheme based 
on IP address.  That seems a bit dangerous to me, because all requests 
from behind a router doing NAT will appear to be from the same IP 
address (but not the same port).

Let's imagine thus that when you get a request, you obtain the IP 
address and port it is made from, and use this combination as a key.
Your 3 servers use a common "database" of user sessions, where each 
session is identified by such a key.
Whenever a server gets a request, it checks the database, and if it 
finds a matching key, retrieves the info stored under that key, and sets 
a cookie (with its own domain) which it sends back to the browser.
Now the browser, for this new server, will re-send the cookie, and it 
happens to contain the same information that was set previously by the 
first server (the one who did the initial authentication and created the 
initial database entry).

Are we getting somewhere ?

No, we are not. Because when the browser switches from one server to the 
other, it might also start another TCP session, to which the router 
would give another origin port.

But wait, it might still work, because the 3 virtual servers share in 
fact the same IP address, and the router would not know that this is a 
new session, because it works on the base of IP addresses, and does not 
look at the "Host:" HTTP headers.

I have no idea how fragile this is, but maybe it gives you some 
additional ideas ?
(It probably is quite fragile, because it depends on the browser and 
server maintaining the same TCP session throughout.)

But now wait again.
Do you know about OpenID ? That may be what you are looking for, and 
avoid all the stuff above.
In your case, you would run your own OpenID server, and it would 
authenticate users no matter on which server they start, and keep this 
authentication available for the other (registered) servers.
Go to "http://openid.net"

André



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message