WildFly 10 automatically changes the session ID following authentication - so I don't understand the need for spring here.
First question: Is your web application <distributable/> in either or both scenarios (i.e. single server vs load balanced against multiple servers)?
pferraro thanks, Let me check once again if wildfly itself do the changing of session id, but i didn't see its changing before i applied spring one. My web app doesn't have distributable in web.xml, we are managing session using spring-session with redis.
Adding one more info in wildfly 9.0.2.Final / ubuntu environment we are not facing this issue but in wildfly.10.0.0.Final /RHEL (production) we are facing this problem.
I checked it by removing spring but this time its not changing the sessionid.
1 of 1 people found this helpful
That's good to hear.
In general, though, I would recommend against using a session filter-based mechanism for distributed web sessions. While I understand the appeal of a container-independent solution, this design has some inherent issues:
- Incompatible with container managed authentication/authorization.
- Modifications to the session outside the context of the filter (e.g. by the container, other filters higher up the chain) are lost on
failover, since these will never be visible to other nodes (since these won't touch the distributed cache)
- Access to the session outside the context of the filter (e.g. by the container, other filters higher up the chain) can read stale data
- It violates the servlet specification in a number of areas:
- HttpSessionIdChangedListeners are never triggered
- HttpSessionActivationListeners are not triggered appropriately on replication/passivation/activation
- HttpSessionListeners will trigger inconsistently, potentially prematurely, and on multiple nodes
... to name a few.
pferraro thank you for explaining it in detail, let me explore on the areas you have mentioned as issues of using it with the help of spring-session community. I can carry each of these concerns to them and let me see how to go forward. Thanks a lot...