Potential valid session id overlap?

jowizzle Jan 11, 2008 4:11 AM

I have a concern about a simple load balanced setup: a cisco css/vip that handles www.foo.com, and two independent JBoss AS 4.2.2 instances, node1 and node2. Each JBoss is fronted by Apache httpd and mod_jk. The mod_jks are also independent, i.e., they have no knowledge of one another and do not perform load balancing.

Since these two nodes are independent, they would each independently generate a value for the JSESSIONID cookie. Suppose a user Jim logs in and is directed to node1. Node1 generates "abc". Suppose a user Bob logs in and is directed to node2. Node2 also generates abc. Both sessions remain valid. Upon his next request, if Jim were to be directed to node2, would he assume Bob's session?

If not, why not? If so, how does one set up a similar simple load balancing solution? My applications are not distributable, so I have no need for session replication. I want simple sticky sessions.

Thanks very much for any comments, insight or advice.

1. Re: Potential valid session id overlap?

brian.stansberry Jan 11, 2008 11:27 AM (in response to jowizzle)

The session ids are randomly generated. This basically counts on the same id not being generated twice during any reasonable timespan, which, given the size of a session id, is a quite safe assumption.
Actions