6 Replies Latest reply on Jan 5, 2017 4:05 AM by jeepatz

New session created on each request with session cookie

jeepatz Nov 16, 2016 5:11 AM

I am migrating an application from JBoss EAP 6.4 to JBoss EAP 7.0 but have run in to an issue where JBoss seems to be creating a new session on each new request when using session cookie to track the session.

The application has several war files in the ear file. On JBoss 6.4 the application shared session across each war file using a session cookie by including jboss-web.xml in the WEB-INF folder of each war file as below:

<jboss-web>

<session-config>

<cookie-config>

<http-only>true</http-only>

<secure>false</secure>

</cookie-config>

</session-config>

</jboss-web>

On JBoss 7.0, with this configuration, when I make an initial request I can see the session cookie is created as expected. But on each subsequent request a new session is created. It works as expected when the jsessionid parameter is included in the url.

I have tried using a jboss-all.xml file as documented here Web (Undertow) Reference Guide - WildFly 10 - Project Documentation Editor but still had the same problem.

I've also tried moving the session cookie config directly into the web.xml rather than in jboss-web or jobss-all but that didn't help either.

Any suggestions on what the problem could be? Thanks.

1. Re: New session created on each request with session cookie

pjhavariotis Nov 21, 2016 2:50 AM (in response to jeepatz)

If I am right, you want to implement session sharing between WAR modules subdeployments in a specific EAR.
If this is the case, you can check the documentation for EAP 7: https://access.redhat.com/documentation/en/red-hat-jboss-enterprise-application-platform/version-7.0/development-guide/#…
Actions
2. Re: New session created on each request with session cookie

jeepatz Nov 21, 2016 5:03 AM (in response to pjhavariotis)

Thanks for the reply.

Yes this is the same configuration as the Wildlfy 10.0 documentation but it isn't working for me. I tried adding a jboss-all.xml file to the META-INF directory of the ear with the below configuration but still having the same issue:

<jboss umlns="urn:jboss:1.0">
<shared-session-config xmlns="urn:jboss:shared-session-config:1.0">
    <max-active-sessions>10</max-active-sessions>
    <session-config>
      <session-timeout>15</session-timeout>
      <cookie-config>
        <name>JSESSIONID</name>
        <path>/</path>
        <comment>cookie comment</comment>
        <http-only>true</http-only>
        <secure>false</secure>
        <max-age>-1</max-age>
      </cookie-config>
      <tracking-mode>COOKIE</tracking-mode>
    </session-config>
    <replication-config>
      <cache-name>web</cache-name>
      <replication-granularity>SESSION</replication-granularity>
    </replication-config>
</shared-session-config>
</jboss>
Actions
3. Re: New session created on each request with session cookie

pjhavariotis Nov 21, 2016 5:19 AM (in response to jeepatz)

In the documentation, the <tracking-mode>COOKIE</tracking-mode> is a member of the shared-session-config (not session-config).
Can you change your jboss-all.xml accordingly and try again?
Actions
4. Re: New session created on each request with session cookie

jeepatz Nov 21, 2016 5:40 AM (in response to pjhavariotis)

I think that's an error in the example xml in the documentation. The example xml contradicts the structure in reference section 3.7.4.1 just above the example.

The <tracking-mode> is within <session-config> in the schema and so JBoss fails on startup with a parsing error if <tracking-mode> is within <shared-session-config> rather than within <session-config>.
Actions
5. Re: New session created on each request with session cookie

pjhavariotis Nov 21, 2016 6:03 AM (in response to jeepatz)

OK then! You'd better report it back to Red Hat as a support case.
Actions
6. Re: New session created on each request with session cookie

jeepatz Jan 5, 2017 4:05 AM (in response to jeepatz)

It seems that this may have been a bug in JBoss EAP 7.0.0
NullPointerException upon request completion and session invalidation in EAP 7 - Red Hat Customer Portal
Actions

Go to original post