-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All,
I'm having a weird problem in production that I completely understand but I'm not sure if there's a good way to fix it without re-locating one of my applications. I have 3 webapps running in separate VMs. One of them is running as ROOT (context path '/'), and both of the others are running with a context path of '/foo'. I am fronting the applications with Apache httpd which determines which URLs go to the main /foo application and which go to an instance of Apache Cocoon also running under /foo. When users hit the Cocoon instance, we use their requested session id (request param or cookie) to make a loopback call to the main /foo application to get some XML for processing. This has the effect of sharing a login across two applications because Cocoon masquerades as the real user by using the session id from the original request to make the loopback request. Cocoon never allocates sessions for any reason. Now, here's the problem: the ROOT webapp and the /foo webapp both create sessions and set cookies on the client. The ROOT webapp creates a cookie path='/' while the /foo webapp creates a cookie with path='/foo'. This means that, for users who are using both applications at once, all requests to '/foo' have TWO values sent for the JSESSIONID cookie. It appears that Tomcat will try both cookie ids and use the one that actually works (because this dual-cookie thing doesn't seem to confuse Tomcat). The problem is when a similar request goes to Cocoon (also running on Tomcat). Since the Cocoon instance does not use sessions, /both/ JSESSIONID cookies are equally invalid, so Tomcat doesn't know which one to choose when returning a value from HttpServletRequest.getRequestedSessionId. In certain cases, it returns the "wrong" one (the one from path='/') and the result is that Cocoon forwards the wrong session id to the real application, and I get a "not logged in" error. :( The obvious solution is not to deploy the ROOT application as ROOT, but instead under some other prefix that does not confuse clients (and my apps) in this way. I'm wondering if anyone has any other brilliant ideas. Thanks! - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkgWPQkACgkQ9CaO5/Lv0PDQmwCgvjWloVZefgj0OC9tePmZRB7u 8NEAn35cU/VZRlS7+9n8Kn0woS4DoDJE =zOO0 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
