2 Replies Latest reply on Apr 3, 2014 4:11 AM by marcodanti

Sticky sessions and Set-Cookie HTTPOnly header

marcodanti Apr 1, 2014 8:29 AM

I ran into a situation where sticky session get apparently disabled when using set-cookie HTTPOnly:

Without set-cookie, sticky sessions are working
As soon as I insert "Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure" (tried also with "Header set Set-Cookie HttpOnly;Secure") into httpd.conf, sticky sessions are not sticky anymore

The configuration is :

HTTPD-2.4.6 with modcluster-1.3.1-SNAPSHOT working as reverse proxy
JBoss-AS-7.2.0.Final (with modcluster-1.2.6.Final) working as backend servers

1. Re: Sticky sessions and Set-Cookie HTTPOnly header

rhusar Apr 3, 2014 6:14 AM (in response to marcodanti)

I cannot reproduce the issue with HttpOnly cookies, it all works fine.

My hunch is the misunderstanding of the secure cookie attribute. This means, that the client will send this cookie only via HTTPS. Since you are adding this to all cookies and the stickiness information is part of the session ID cookie, it will not be sent if you are testing over HTTP. A new session will be created every time, since you won't present your existing cookie. Try with "Header set Set-Cookie HttpOnly" instead or using HTTPS.
Actions
2. Re: Sticky sessions and Set-Cookie HTTPOnly header

marcodanti Apr 3, 2014 4:11 AM (in response to rhusar)

Silly me, that was exactly my problem. Thanks a lot!
Actions