Session cookies generated by WildFly 13.0 backend servers causing trouble at Apache load balancer
tdsob Sep 18, 2018 3:53 AMHello fellow WildFly users!
Upgrading from WildFly 10.1 to 13.0 I stumbeled over an issue, I 'd like to mention here. Obviously the behaviour on creating session cookies now depends on wether you 're using WildFly in standalone mode or domain mode.
With the Firefox plugin "HTTP header live" I observied different set-cookie directives in these two modes.
In standalone mode it looks like this:
Set-Cookie: JSESSIONID=1b51he-PLdFyMh_u6gXa1nxioiWeEVhpZ0P7WFkb.jessie64; path=/myapp
In domain mode it looks like this:
Set-Cookie: JSESSIONID="V2RZyDaCXdTV5GS5DdRjqiBQNXtYGwYwajVcEkIO.node01:server-one"; Version=1; Path=/myapp
The quotation marks surrounding the session id caused some trouble at the Apache load balancer (mod_proxy_balancer), which was not able to handle requests to the WildFly backend servers "sticky" any more. Before the upgrade of WildFly we had a working Apache configuration, which basically looked like this:
<Proxy balancer://myapp-balancer-http>
BalancerMember http://node01.example.com:8230 route=node01:server-one timeout=3600
BalancerMember http://node02.example.com:8230 route=node02:server-one timeout=3600
ProxySet lbmethod=byrequests stickysession=JSESSIONID|jsessionid scolonpathdelim=On
</Proxy>
After the upgrade to WildFly 13.0 we had to adjust this configuration to consider the additional quotation mark. The new configuration basically looks like this now:
<Proxy balancer://myapp-balancer-http>
BalancerMember http://node01.example.com:8230 route=node01:server-one" timeout=3600
BalancerMember http://node02.example.com:8230 route=node02:server-one" timeout=3600
ProxySet lbmethod=byrequests stickysession=JSESSIONID|jsessionid scolonpathdelim=On
</Proxy>
Following the Apache documentation this seems comprehensible in a way as the text contains the following information:
Some back-ends use a slightly different form of stickyness cookie, for instance Apache Tomcat. Tomcat adds the name of the Tomcat instance to the end of its session id cookie, separated with a dot (.) from the session id. Thus if the Apache web server finds a dot in the value of the stickyness cookie, it only uses the part behind the dot to search for the route. [...] The name of the session cookie used by Tomcat (and more generally by Java web applications based on servlets) is JSESSIONID (upper case) but can be configured to something else.
I have to admit, that the updated Apache configuration looks a little bit strange to me. Thus, I am interessted in your opinion/epertise:
- Do you consider the different behaviour on creating session cookies in standalone mode and domain mode a bug in WildFly one should report?
- Does anybody know a possible configuration option to restore the old behaviour or make it equal in both modes?
Thanks and greetings,
Stefan Oberwahrenbrock