-
1. Re: Wildfly 10 changeSessionId returns the same session id
pferraro May 25, 2016 9:37 AM (in response to nick.sree)WildFly 10 automatically changes the session ID following authentication - so I don't understand the need for spring here.
First question: Is your web application <distributable/> in either or both scenarios (i.e. single server vs load balanced against multiple servers)?
-
2. Re: Wildfly 10 changeSessionId returns the same session id
nick.sree May 26, 2016 2:01 AM (in response to pferraro)pferraro thanks, Let me check once again if wildfly itself do the changing of session id, but i didn't see its changing before i applied spring one. My web app doesn't have distributable in web.xml, we are managing session using spring-session with redis.
Adding one more info in wildfly 9.0.2.Final / ubuntu environment we are not facing this issue but in wildfly.10.0.0.Final /RHEL (production) we are facing this problem.
Update :
I checked it by removing spring but this time its not changing the sessionid.
-
3. Re: Wildfly 10 changeSessionId returns the same session id
nick.sree May 26, 2016 6:37 AM (in response to pferraro)pferraro we found the issue, it was due to the time difference between the two app server, now we synced our ntp and it started working.
-
4. Re: Wildfly 10 changeSessionId returns the same session id
pferraro May 26, 2016 8:58 AM (in response to nick.sree)1 of 1 people found this helpfulThat's good to hear.
In general, though, I would recommend against using a session filter-based mechanism for distributed web sessions. While I understand the appeal of a container-independent solution, this design has some inherent issues:
- Incompatible with container managed authentication/authorization.
- Modifications to the session outside the context of the filter (e.g. by the container, other filters higher up the chain) are lost on
failover, since these will never be visible to other nodes (since these won't touch the distributed cache)
- Access to the session outside the context of the filter (e.g. by the container, other filters higher up the chain) can read stale data
- It violates the servlet specification in a number of areas:
- HttpSessionIdChangedListeners are never triggered
- HttpSessionActivationListeners are not triggered appropriately on replication/passivation/activation
- HttpSessionListeners will trigger inconsistently, potentially prematurely, and on multiple nodes
... to name a few.
-
5. Re: Wildfly 10 changeSessionId returns the same session id
nick.sree May 26, 2016 7:38 AM (in response to pferraro)pferraro thank you for explaining it in detail, let me explore on the areas you have mentioned as issues of using it with the help of spring-session community. I can carry each of these concerns to them and let me see how to go forward. Thanks a lot...