Page 1 of 1

Session is not maintained

PostPosted: 11. September 2015 08:53
by Alex R4

I develop an application using two servers. Apache(80) and Tomcat(8080).
The communication between these servers worked well using HTTP and AJP protocols.
The Tomcat server (Java) maintains an array of session parameters.
These session parameters are used for any subsequent request from Apache(80).
All set-up within the XAMPP environment.
All good, worked perfectly.

Then my system got infected and I had to reinstall the computer from scratch.

After I installed everything the application works fine again, EXCEPT the session, in Java terms the
HttpSession is not maintained between two requests. The second request expects the HttpSession object to be there, but it isn't.
The JVM says: "This session is new." and creates a new HttpSession object.

Hint 1:
The new installation wasn't as straight forward either. I had an older XAMPP before, the new XAMPP is 5.6.8.
The old OP system was Windows7 Ultimate, the new is Windows7 Home Edition. The Tomcat version was 6.something, is now 8.0.22.
I am not using the XAMPP supplied Tomcat engine. Instead, I have a separate Tomcat instance installed. I did not do that on purpose.
I worked with the stand-alone Tomcat server long before I discovered XAMPP.
The JDK has changed as well, the version is now 1.8.0_60, the old one was 1.7.

Hint 2:
The HTML/CSS/JS files are located in a Tomcat(8080) directory.
Example 1:
When the browser requests data direct from Tomcat(8080), the HTML/CSS/JS files are served ok. Subsequent multiple AJAX requests
to Tomcat(8080) are served ok. That means Tomcat(8080) maintains the session to the browser. All good.

Example 2:
When the browser requests data from Apache(80), the HTML/CSS/JS (stored in Tomcat(8080)) files are served ok.
The subsequent FIRST AJAX request to Apache(80) is served ok. This request creates the HttpSession within Tomcat(8080).
The second AJAX request to Apache(80) fails, because Tomcat(8080) has to lookup some parameters in HttpSession, but HttpSession
is not there and Tomcat(8080) throws an exception. In other words, SESSION is not maintained between Apache(80) and Tomcat(8080).

What I would like:
I would like to hear from anybody experienced in server-to-server communication which subjects I have to look at to find the
element to enable session. Just pointing me into the right direction would be very much appreciated.

What I have done so far:
Reading Apache internals. Searching the internet for related topics. Tested Apache by modifying some mod_xxx parameters.
I'm not an Apache person and I find it incredibly hard to get a working-understanding of these mod_xxx without having the
relevant practical experience.


Re: Session is not maintained

PostPosted: 09. October 2015 06:34
by Alex R4
After weeks of testing, the problem is now solved.
In my case, I tried to set a reverse proxy in Apache as follows:

Code: Select all
ProxyPass        /UI http://localhost:8081/USER_INTERFACE/
ProxyPassReverse /UI http://localhost:8081/USER_INTERFACE/

It appeared, that Apache is not passing the sessionId to subsequent requests.

The problem is caused by Tomcat.
The Tomcat server issues an outbound http header variable (as example) :
Code: Select all
Set-Cookie = JSESSIONID=2E9C21F47E89E495C463E56651F24C1E; Path=/USER_INTERFACE/; HttpOnly

This variable contains a path element which, I assume, will be checked on subsequent requests.
If the path is true, then Tomcat issues an inbound http header variable (as example) :
Code: Select all
cookie = JSESSIONID=2E9C21F47E89E495C463E56651F24C1E

The Java servlet is using that cookie to provide the correct httpSession object.

In case of a ProxyPassReverse environment, there is no Path=/USER_INTERFACE/.
Apache issues the path as /UI/, whereas Tomcat expects the path to be /USER_INTERFACE/.
The sessionId will not be passed on as a cookie and the application fails.

The path element has to be excluded from the outbound http header.
As in this example:

Code: Select all
Original:   Set-Cookie = JSESSIONID=2E9C21F47E89E495C463E56651F24C1E; Path=/USER_INTERFACE/; HttpOnly
Modified:   Set-Cookie = JSESSIONID=2E9C21F47E89E495C463E56651F24C1E; HttpOnly

Here is the Java code to do this conversion at the end of a servlet:

Code: Select all
private void modifySetCookie(HttpServletRequest httpServletRequest,
                      HttpServletResponse httpServletResponse ){
   String sessionId = httpServletRequest.getSession().getId();
   String key = "Set-Cookie";
   String value = "JSESSIONID="+sessionId+"; HttpOnly";

Both, Apache and stand-alone Tomcat will behave correctly, because path is not being evaluated.
Btw, this issue occurred only in the newest version of Tomcat. Tomcat 6.x did not have that