Greetings! Earthling Jeremy,
Never tried this before, but I'm going to have a guess because I've seen
this question before, and that didn't seem to have much luck...
The underlying technology at work is the cookie... so what happens is the
browser gets a JsessionId cookie from the server
and when it sees the same ID, it automatically resends the required
authentication info for the same path... and sub path.
Or in layman terms the browser goes... "oh its the good guy again... send
the password stuff".
So.... if you want to get the browser to treat the 2 domain names the
same.... you have to SOMEHOW set the domain in that JSession cookie.
Tomcat will automatically set it to abc.domain.com and def.domain.com.....
but
you need to make it set BOTH machines to ".domain.com".
Then if Tomcat A authenticates..... and say you redirect to Tomcat B.... the
browser will go... "Hey its the good guy again"
because the cookie domain is the same, and in "authentication terms"....
its "one machine" to the browser.
Now if you did the authentication "programmatically" you could just set your
own session cookie...
because you setting the headers and tomcat doesnt even know you doing
authentication.... but who wants all that hassle, gets very tricky.
So here is the real problem.... as soon as you add all the authentication
stuff to web.xml, Tomcat will start doing the cookie thing for you.
If you start "setting cookies manually" and trying to override JSessionID
with your own domain name....
I think you just going to end up with 2 cookies with the same name...
Tomcat's "make it easy" internal session management will fight against
you.... so I think you can forget about doing anything manual once you use
the xml configuration.
So what I think is that if Tomcat doesnt provide a way to control that
session management.... it cant be done....
so I looked through the javadocs and I found this..
<
Valve className="org.apache.catalina.authenticator.SingleSignOn"
cookieDomain=".domain.com"
/>
I'm not sure but I think its what you looking for.... a way to set the
domain name on your servlet's cookie management.
... and "single sign on" sounds very promising.
So good luck.... BUT remember this is not free advice ;)
...... please report back and tell us if it worked, so we can also learn
something and this question can be put to rest forever.. thx
regards
Johnny
----- Original Message -----
From: "Jeremy Cowgar" <[EMAIL PROTECTED]>
To: <users@tomcat.apache.org>
Sent: Friday, April 20, 2007 10:42 PM
Subject: Session across multiple hosts?
Greetings!
I have domain.com and my app uses hosts under that domain, like
abc.domain.com, def.domain.com... When the user logs in, the session is
valid only on domain.com... How can I make that session also valid under
the other hostnames?
Thanks,
Jeremy
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]