Reputation: 915
How to handle dynamically changing JSESSIONID at server
We have a cloud environment which contains multiple load balances and tomcat servers serving single web application (single page application written in angularjs, spring-mvc and java).
Due to some unknown issue in network configuration even after enabling session persistence, I observed that the JSESSIONID cookie keeps on changing between subsequent requests.
This causes the login and authentication information to be lost since the values are stored as auth keys in session object.
What is the best practice to handle changing JSESSIONID at server side?
Upvotes: 1
Views: 1052
Answers (1)
Reputation: 38328
It appears that you can never trust JSESSIONID on the server side in your cloud setup; so abandon it.
Instead use a database (shared between all servers) to store the session information.
Use userid or something like it (perhaps a UUID that you generate when they login) to identify the session in the database.
Track a "validUntil" datetime value in the database for each session, update it every time a user accesses the session (both read and write); this is how you will implement session timeout.
When accessing the session, if now is after validUntil, then the session has timed out.
Upvotes: 2
Related Questions
- JSESSIONID changes without any request
- Spring MVC - redirect automatically append JsessionID
- Get JSESSIONID in Angular applications
- JSessionId changes after login and Angular 5 is sending new JSessionID with request and discarding the old jsessionid
- Spring Security session JSESSIONID
- AngularJs and Java Servlet technology
- Apache Tomcat 7 Changing JSESSIONID on Every Request
- Session in spring MVC
- Value of JSESSIONID is not changed on invalidating session
- JSessionID not changing after user logs out - Is this a security issue?