3 Replies Latest reply on Sep 10, 2015 4:55 PM by Paul Ferraro

    How to avoid appending -Djboss.node.name value to JSESSIONID

    Sreenath Reddy Novice

      Hi All,

       

      We migrated our application from JBoss 5.1.0 GA to WildFly 8.2.0. I observed that the value of "-Djboss.node.name"(node1) is appending to the JSESSIONID cookie which is causing major problem in my application.

       

      In my application we have a SessionListener class in which we are storing the sessionids to a static map and while doing any operations we are validating the session id from the map and loading the appropriate data.

       

      Please find the below code.

       

      In web.xml

      <listener>

        <listener-class>com.project.session.ProjectSessionListener</listener-class>

        </listener>

      and the code in ProjectSessionListener is


      public class ProjectSessionListener extends SeamListener {

      private static final Map<String, HttpSession> sessionMap = new HashMap<String, HttpSession>();

      ...............................

      @Override

        public void sessionCreated(final HttpSessionEvent event) {

        super.sessionCreated(event);

        final HttpSession session = event.getSession();

        final String sessionId = session.getId();

        sessionMap.put(sessionId, session);

        }

      }


      While adding the sessionid to sessionMap there is no .node1 appended to the session(ABCD1234), so the sessionid was saved without .node1 in the Map, but the login page was loaded successfully.


      When we click on Log-in I observed that .node1 was appended to the JSESSIONID9(ABCD1234.node1) and while validating we are trying to get the session date using without .node1 which is obviously return null and causing the exception.


      I tried

      1)  removing the  -Djboss.node.name from WildFly confuguration, in this case it is appending my pc name(ABCD1234.sreenath-WIN-7).

       

      2) Removing <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/> from standalone .xml


      Is there any way to avoid appending the extra characters to JSESSIONID on WildFly?


        • 1. Re: How to avoid appending -Djboss.node.name value to JSESSIONID
          Paul Ferraro Master

          Some general notes:

          1. It is generally a bad idea to cache or reference an HttpSession outside the scope of a request or session listener.  The servlet specification makes no guarantees that these object references remain valid when used in this way.
          2. We always append routing hints to the session id to support sticky session behavior for load balancers.  This extra routing information should never be visible to the application, provided the session is not accessed outside the scope of the request and/or listeners.

           

          When we click on Log-in I observed that .node1 was appended to the JSESSIONID9(ABCD1234.node1) and while validating we are trying to get the session date using without .node1 which is obviously return null and causing the exception.

           

          Can you post the "validating" code?  This routing information should never be visible to your application code.

           

          1)  removing the  -Djboss.node.name from WildFly confuguration, in this case it is appending my pc name(ABCD1234.sreenath-WIN-7).

           

          This value defaults to the host name, if undefined.

           

          2) Removing <cache name="distributable" passivation-store-ref="infinispan" aliases="passivating clustered"/> from standalone .xml

           

          This is EJB subsystem configuration and has nothing to do with HttpSessions.

           

          Is there any way to avoid appending the extra characters to JSESSIONID on WildFly?

           

          I'd like to first understand why this is a problem.  Please post your code that detects ".node1" in the session id.

          • 2. Re: How to avoid appending -Djboss.node.name value to JSESSIONID
            Sreenath Reddy Novice

            Actually my problem is I have configured a Listener Class and in the Listener class I am getting the sessionId and storing in a session Map. While storing the date into the Map using the above code, nothing is appended to my sessionId, so in the static map I stored the sessionId without any extra charactters.

             

            public class ProjectSessionListener extends SeamListener {

            private static final Map<String, HttpSession> sessionMap = new HashMap<String, HttpSession>();

            ...............................

            @Override

              public void sessionCreated(final HttpSessionEvent event) {

              super.sessionCreated(event);

              final HttpSession session = event.getSession();

              final String sessionId = session.getId();

            logger.info("sessionId ");

              sessionMap.put(sessionId, session);

              }

            }


            When we are doing actions(After the page is loaded) I am getting the session id with appending node1/system name. I am getting this sessionId using the below web services code.

             

            @WebService(name = "xyz", serviceName = "ProjectService")

              public class ProjectService extends AbstractService {

            @WebMethod()

              public HeaderPojo getHeaderData(final String sessionId)

              throws SessionNotFoundException {

            ................

            logger.info(sessionId);

            }

             

            In the above method I observed that(logger/debug point) I am gettinig session Id with extra appended characters.

             

            So, i will not have any problem if I am getting session id with extra appended characters in all the cases(Filters and Web service).

            I am trying to make this sessionId as unique, so I am looking for a way to remove the extra appended characters from the java code.

            • 3. Re: How to avoid appending -Djboss.node.name value to JSESSIONID
              Paul Ferraro Master

              When we are doing actions(After the page is loaded) I am getting the session id with appending node1/system name.

              How are you locating the session id?

              @WebService(name = "xyz", serviceName = "ProjectService")

                public class ProjectService extends AbstractService {

              @WebMethod()

                public HeaderPojo getHeaderData(final String sessionId)

                throws SessionNotFoundException {

              ................

              logger.info(sessionId);

              }

              This doesn't indicates how you determine the value of sessionId.  Can you post that code?

               

              The HttpSession is accessible from the WebServiceContext - the id of which should not contain any routing information.