JSESSION Cookie

Hi,
i' have a problem:
The JSESSIONID cookie generated by the site is not marked with the secure
flag. Depending on the browser in use by the client, this can allow
authenticated session cookies to be sent in clear-text. See screenshot
below.
How mark JSESSIONID secure ¿? by jsp pages ?
thanks.

Thanks for the useful link.
The doc really make the JSESSIONID a secure cookie.
But in this scenario, the session does not work in HTTP mode.
So I want to know:
1) Is there any way to make HTTP session still works whell JSESSIONID in HTTPS remains secure;
2) Can I only configure the weblogic just for some applications instead of whole Weblogic environment?
Because in our production environment, all businesses portal share the same weblogic instance.
If I use the CookieSecure attribute then it impacts all the other businesses and this is absolutely forbidden.
In addition, I found BEA give another solution:
<WebServer Name="myserver" AuthCookieEnabled="true"/>
http://e-docs.bea.com/wls/docs61/webapp/security.html#118730
But I have tested in Weblogic6.1 SP5 and found it does not work.
Does anyone have any idea about the AuthCookieEnabled attribute?
Thanks in advance!
Any clue will be highly appreciated!
Regards,
David

Similar Messages

Need help to get JSESSION cookie after making a SOAP request.

Hello All,
I need to know that how can I check JSESSION cookie, and get its value after sending a SOAP request. I need this JSESSION value to present in each HTTP stream until it expired. One more question, can I log HTTP request and response by configuring the client-config.wsdd or not. If yes, could any one let me know how to do it please. Thank you in advance.

Turn the machine on it's side and try shaking them out. You can also see if You Tube has any videos on how to do this, they certainly do for folks that have SD cards in theirs. Removing coins should be similar.

JSession cookie dropping cause DuplicateSessionDetected exception when use https rather than http

I developing Grails+BlazeDS server and Flex AIR client and stucked with this error: Detected duplicate HTTP-based FlexSessions, generally due to the remote host disabling session cookies. Session cookies must be enabled to manage the client connection correctly
Google searches didn't successfully, as I see some difference in situations. The issue I got only when Flex client interact with server via https.
Flex client:
<s:ChannelSet id="userChannel">
           <s:SecureAMFChannel uri="https://localhost:8443/Con/messagebroker/amfpolling" />
</s:ChannelSet>
button click in UI triggered login method:
loginResult.token = channelSet.login(usernameInput.text, passwordInput.text);
And finished with DuplicateSessionDetected exception.
After investigating network monitor logs, I found that a jsession cookie received from server not set in next requests to a server:
Response from server (operation: client_ping):
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=F58F1ADA97E70915EF9E6E4EE1AEBE00; Path=/; Secure
Content-Type: application/x-amf
Content-Length: 173
Date: Sun, 23 Feb 2014 10:17:00 GMT
Flex Message (flex.messaging.messages.AcknowledgeMessageExt)     clientId = EA18E8B9-951F-6F87-7B47-48B8B202EE75    correlationId = 7D2782C1-C8A5-41A3-2055-5E3F771424C8    destination = null    messageId = EA18E8F6-9E0E-1FE4-0D26-6F0E602F5C5E    timestamp = 1393150620542    timeToLive = 0    body = null    hdr(DSMessagingVersion) = 1.0    hdr(DSId) = EA18E8B9-950B-4B42-EF70-369D656BA3F2
And next request to server (login operation) without jsession cookie:
POST /Conn/messagebroker/amfsecure HTTP/1.1
Referer: app:/BlazeDSClient.swf
Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, text/css, image/png, image/jpeg, image/gif;q=0.8, application/x-shockwave-flash, video/mp4;q=0.9, flv-application/octet-stream;q=0.8, video/x-flv;q=0.7, audio/mp4, application/futuresplash, */*;q=0.5
x-flash-version: 12,0,0,68
Content-Type: application/x-amf
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows; U; en) AppleWebKit/533.19.4 (KHTML, like Gecko) AdobeAIR/4.0
Host: localhost
Content-Length: 299
Flex Message (flex.messaging.messages.CommandMessage)     operation = login    clientId = null    destination = auth    messageId = 7B47BBF2-08C0-0E41-5D88-5E3F76FA4882    timestamp = 0    timeToLive = 0    ***not printing credentials***
and server answering with new session cookie:
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=03BD8347F9E9511C299B717DD55625C9; Path=/; Secure
Content-Type: application/x-amf
Content-Length: 535
Date: Sun, 23 Feb 2014 10:17:01 GMT
Flex Message (flex.messaging.messages.ErrorMessage)     clientId = null    correlationId = 7B47BBF2-08C0-0E41-5D88-5E3F76FA4882    destination = auth    messageId = EA18F4A7-C80D-103B-F8D0-58B6F148F142    timestamp = 1393150621768    timeToLive = 0    body = null    code = Server.Processing.DuplicateSessionDetected    message = Detected duplicate HTTP-based FlexSessions, generally due to the remote host disabling session cookies. Session cookies must be enabled to manage the client connection correctly.    details = null    rootCause = null    body = null    extendedData = null
And again - when used non-secure protocol everything ok - session cookie sevt to server in login operation as expected.
I have a little experience in Flex development and didn't find any method to set session cookie when triggered channel login request. Could you help to resolve this issue, please?
Thanks.

Finnaly resolved it. I meet similar questions in the web, so I hope this solution will be helpfull for somebody.
The cause of DuplicateSessionDetected exception has been a Network Monitor tool of Flash Builder. After switching it off no any exception has been occurred. I think there issues when Monitor acting as proxy when used with secure protocol.

Session and cookies

Why, if I delete the Jsession cookies and I reload the index.faces page, and post the login form, this error happend ?
ViewExpiredException: viewId:/login.faces - View /login.faces could not be restoredNew JSession cookie isn't created... Strange ?

I can't find a real solution for that problem !
In IE, the website seem to work, but without cookies... why ?
In Firefox, after deleting the JSESSION cookie, if I reload (ctrl+F5), the cookies isn't created anymore... if I try many time, maybe 2-3 min later, the cookie is created ...
Without cookie, I have the error about the view.
Sometime, without any change, in Firefox, it work but using URL variable for session... and after few login-logout-login, it use JSESSIONID cookie !
Any idea ? This kind of random problem is hard to solve.
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee   http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<context-param>
<param-name>javax.faces.DEFAULT_SUFFIX</param-name>
<param-value>.xhtml</param-value>
</context-param>
<context-param>
<param-name>URL</param-name>
<param-value>ldap://localhost:10389</param-value>
</context-param>
<context-param>
<param-name>managerDN</param-name>
<param-value>uid=admin,ou=system</param-value>
</context-param>
<context-param>
<param-name>managerPassword</param-name>
<param-value>****</param-value>
</context-param>
<context-param>
<param-name>facelets.DEVELOPMENT</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<description>valide le fichier faces-config</description>
<param-name>com.sun.faces.validateXml</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<description>vérifie si tous les objets configurés sont créé correctement</description>
<param-name>com.sun.faces.verifyObjects</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>javax.faces.CONFIG_FILES</param-name>
<param-value>/WEB-INF/faces-config.xml</param-value>
</context-param>
<filter>
<filter-name>MyFacesExtensionsFilter</filter-name>
<filter-class>org.apache.myfaces.webapp.filter.ExtensionsFilter</filter-class>
<init-param>
   <param-name>uploadMaxFileSize</param-name>
   <param-value>20m</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>MyFacesExtensionsFilter</filter-name>

<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>

<filter-mapping>
<filter-name>MyFacesExtensionsFilter</filter-name>
<url-pattern>/faces/myFacesExtensionResource/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>com.sun.faces.config.ConfigureListener</listener-class>
</listener>
<listener>
<listener-class>com.sun.faces.application.WebappLifecycleListener</listener-class>
</listener>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>2</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
</web-app>
index.html
<html>
     <head>
          <meta http-equiv="Pragma" content="no-cache" />
          <meta http-equiv="expires" content="0" />
          <meta http-equiv="Cache-Control" content="no-cache" />
          <meta http-equiv="Cache-Control" content="must-revalidate" />
          <meta http-equiv="Refresh" content="0; URL=login.faces" />
          <title>Start Web Application</title>
     </head>
     <body>
          <p>
               Please wait for the web application to start.
          </p>
     </body>
</html>Edited by: laurentw on Feb 10, 2009 4:12 PM
Edited by: laurentw on Feb 10, 2009 4:13 PM

Arrowpoint cookies and state changes

We have an 11050 6.10 build 4 (replacing it soon with a 11501) that is setting a cookie so we can stick a client to a server. The application is also setting a JSESSION cookie. The service is doing a HEAD to a specific page to verify the service is up. The service can change state often (say 1000 times in 2 hours) but the service is not always marked as down. It may only be marked as down 5 to 10 times in those 2 hours. The users are experiencing slow response and are getting kicked out of the application and going back to a login screen. My questions are:
1. State Change Counters. If I go from alive to dying to alive is that 1 or 2 state changes?
2. If a service is dying and a client connects to the service with the cookie already set will the CSS send them to the dying server or will it send them to the alive server? If it sends them to the alive server does it reset the cookie?
3. If the service is down does the CSS send a RST to the client or does it just over write the cookie and send it to the alive server?
4. Service timeouts. Is it true that the timeout for a service is the frequency -1? So if I have a frequency of 5 seconds if the CSS doesn't get a response within 4 seconds the service would go to the dying state?
Thanks

Thanks for the response. According to the Cisco documentation below when a service is down the client will be directed to the alive server. If clients aren't automatically sent to the alive server how would they ever get off the down service?
The service isn't strange it's the app that's strange ;-) Basically they're getting slow response and the clients are getting kicked out of the app. As usual they want to blame every thing else but the app.
The increase that I thought I was seeing in the state counters might not be accurate. When I did the show service it said the counters had been cleared this morning and they were already up to 1300. However, no one logged into the CSS except our Ciscoworks server. I'm not sure why it said they were cleared this morning unless CW2K is doing it. I cleared the counters and they're back to zero so I'll monitor it.
---Cisco Doc-------
When a client comes in with a valid cookie request but the sticky server is not available, the CSS uses the sticky-serverdown-failover configuration to handle the request.
By default, the sticky-serverdown-failover is configured as balance. The sticky-serverdown-failover balance method will treat the client's request as an initial request without the ArrowPoint cookie. It uses the load-balancing algorithm to choose a server, and then redirects the request with a generated ArrowPoint cookie.
The other option is a failover type of redirect. In this case, the CSS redirects the request to the specified URL.
The command sticky-no-cookie-found-action should not be configured in an ArrowPoint cookie content rule. Not only will this command not work, it produces many irregularities in the CSS.
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a00801c8c2f.shtml

Implementing logout. Single Sing Off

Hi I have developed an application using SSO.
These are the steps I followed:
1. In the Orion-application.xml:
<jazn provider="LDAP" location="ldap://hn-apli-dev.bcie.org:389" default-realm="jazn.com">
<jazn-web-app auth-method="SSO"/>
</jazn>
2. In the web.xml
â¦â¦.
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>jazn.com</realm-name>
</login-config>
â¦â¦.
<security-constraint>
<web-resource-collection>
<web-resource-name>appName</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
â¦â¦.
The login works OK but I canât implement the Single Sing Off .
I tried using this code
// Set the return URL
response.setHeader("Osso-Return-Url", "http://my.oracle.com" );
// Send Dynamic Directive for logout
response.sendError(470, "Oracle SSO");
But it works just for applications defined as Partner Applications.
What else should I do?

Seems like you are using mod_osso for enabling Single Sign-On to your applications. In this case, you do not have to register individual applications to the Single Sign-On server as a partner applications. Mod_osso registration should be sufficient and login/logout will work fine.
However, if you are creating application session and using that to show application content then logout will not work correctly. This is because single sign-off will not remove those JSESSION cookies (since they are application specific). To ensure that these application sessions can not be reused when user logs out, implement the application security logic as documented developer's guide.
OracleÂ® Identity Management Application Developer's Guide
10g Release 2 (10.1.2) Part No. B14087-01
Section 7.4 Security Issues: Single Sign-Off and
Application Logout

Integrating Windows Live web service using Jdeveloper

Hi,
We are integrating windows live web service in our oracle portal application. We are trying to create a web service proxy using the URL https://domains.live.com/service/managedomain2.asmx?wsdl. But, we just get an error saying "No WSDL document could be found". Please let me know how to access this web service.
Please note that we are able to access this web service through the browser.
Regards,
MJ

When building the service, there is an option to deploy a stateful service: check the stateful checkbox, in the step 2 of the wizard - Methods definition.
On the client side, you will have to enable HTTP based cookie, so that the client remember the JSESSION cookie.
Hope this helps,
Eric

Http session load balancing

          Hi,
          My application is clustered on multiple machines. The application receives
          request mainly through the http protocol, and the application keeps session information
          of the user. I am using HttpClusterServlet to proxy request to the cluster.
          How can I get the servlet to proxy requests to the right machine that has the
          session information. (Currently, it's just using the round robin algorithm)
          Thanks


          It should do this automatically - it looks at the WebLogicSession (or jsession)
          cookie to determine where to send the request.
          Mike
          "Mark Liu" <[email protected]> wrote:
          >
          >Hi,
          >
          > My application is clustered on multiple machines. The application
          >receives
          >request mainly through the http protocol, and the application keeps session
          >information
          >of the user. I am using HttpClusterServlet to proxy request to the cluster.
          >
          >How can I get the servlet to proxy requests to the right machine that
          >has the
          >session information. (Currently, it's just using the round robin algorithm)
          >
          >Thanks
          >

SuperWebservice supporting stateful Web Service

Acelet (http://www.acelet.com) has released a new version of Super with SuperWebservice supporting stateful Web service and SuperLogging combining traditional logging and LimpidLog. LimpidLog is a revolutionary logging: there is no need to hard-code logging statement. LimpidLog is an open source program.

When building the service, there is an option to deploy a stateful service: check the stateful checkbox, in the step 2 of the wizard - Methods definition.
On the client side, you will have to enable HTTP based cookie, so that the client remember the JSESSION cookie.
Hope this helps,
Eric

JAAS LoginModule - how do I get the "JSessionId"

Hi,
is there any possibility to get the JSessionId from a custom JAAS LoginModule for the WebAS 6.40 Server.
My first attempt was to read the JSESSIONID-Cookie from the Http-Request via the HttpGetterCallback-Class.
((HttpGetterCallback) callbacks[1]).setType(HttpCallback.COOKIE);
((HttpGetterCallback) callbacks[1]).setName("JSESSIONID");
It worked well, till I noticed that sometimes the JSessionId-Cookie doesn't exist.
The reason is, that the JSession-Cookie was set after the http-request has passed my login-modul.
So, if I got a cookie-value, it sometimes was the JSessionID from an earlier session.
So, my question:
Is there any other posibility to get the JSessionId?
If there is a way to get the ServletRequest-instance, I could reach the SessionId via "HttpServletRequest.getSession()".
Any idea? Any hints?
Regards
Steffen Spahr

This is only available for NetWeaver Portal, not NetWeaver Application Server(WebAS). host and port can be obtained using the following code:
               Callback[] callbacks = new Callback[3];
               callbacks[0] = new NameCallback("UserId: ");
               callbacks[1] = new PasswordCallback("Password: ", false);
               // get host name and port
               HttpGetterCallback getterCallback = new HttpGetterCallback();
               getterCallback.setType(HttpCallback.HEADER);
               getterCallback.setName("Host");
               callbacks[2] = getterCallback;
               try {
                    callbackHandler.handle(callbacks);
               } catch (Exception ex) {
                    throw new LoginException(ex + "");
               Object retValue = ((HttpGetterCallback)callbacks[2]).getValue(); //get host
host and port will be returned in the following format SERVER.COMPANY.COM:50000
Currently WebAS is not able to return the resource as per SAP development.

JSESSIONID

hi,all,
I am working on a web app which stores customer's userid into session. on each of my jsp page userid is extracted from session. The problem is, if the customer's browser makes another site(not ours) as their home page, after the web page of this default web site loaded, if the customers uses same browser window to access our site, two sessionids are forwarded back.
For example, if the home page of the browser is www.bell.ca, after the first page of bell's site loaded, a customer starts to access our site in same browser window. But on our server, we can see there are two cookies with same name "JSESSIONID" but different value. One is from our site, another one is from bell. But our server seems could not tell which one is ours. The interesting thing is, if the browser does not set www.bell.ca as home page, or set to other site, like, www.yahoo.ca as home page, this problem did not exist.
I checked bell's site, found these, but I am not sure if this is the key.
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="Expires" content="Tue, 20 Aug 1996 14:25:27 GMT">
So, my question is, is there any way to clean other JSESSIONIDs detected from browser; or if it is possible to set up something like "filter" on server side, to block JSESSIONID not originated from some particular URLs.
Btw, we tried to set cookies on both server side and browser, it did not work.
The server is on solaris, with apache and tomcat 4.1. Both IE6 and Netscape 4.7 has same problem.
Thanks for any help.

As you describe this problem in two diffent brands of browsers I started to wonder -- a browser passing a cookie of another site would be a serious security / privacy leak. But then: obviously NN4.7 is quite old and IE6, well... Did you test with any other browsers as well, and with what results? I'd especially recommend Mozilla Firebird with the Live HTTP Headers extension installed, to easily see the real headers (rather than some http-equiv's): http://livehttpheaders.mozdev.org/
Anyway: in IE6 / SP1 / WinXP I've set http://www.bell.ca to be my homepage, then closed the browser and opened it. Once the page loaded, typing javascript:alert(document.cookie) in the address bar, gave me something like
SITESERVER=ID=5b9cd01f1ff32686bd0e90372e3a51a2;
ASPSESSIONIDCATSRDQR=HFIMGFCCHFBFKAHCHMAKAMIF;
s_cc=true;
JSESSIONID=QCUi29yqFaft6nT28j11Qpexb9aMrAAp3prOLpIhdjzoO....
Note that on WinNT/2000/XP you can hit Ctrl-C to copy the dialog text to your clipboard. Then, in the same window browsing to http://forum.java.sun.com, gave me
JSESSIONID=forum.java.sun.com-119030%253A40252....;
jive.user.lastvisited=1076175702595
What if you repeat this? Does your server really see the www.bell.ca session cookie? Compare the value from your browser with what you see on the server! And please tell us what you've found, as this is interesting -- and scary...
You're not by any change creating a site for a subdomain of bell.ca, are you? Well, even then the cookie should have been overridden with its new value, not stored as an extra cookie. Using Firebird, Live HTTP Headers shows that the JSESSION cookie originates from http://www.bell.ca/shop/application/commercewf and has the domain set to .bell.ca, which is perfectly valid (though funny to see Microsoft IIS here):
HTTP/1.x 200 OK
Server: Microsoft-IIS/4.0
Date: Sat, 07 Feb 2004 18:30:38 GMT
Connection: close
Set-Cookie: JSESSIONID=QCUuzoGhvWfNuybw...; domain=.bell.ca; path=/
Expires: Thu, 01 Dec 1994 16:00:00 GMT
Content-Type: text/html
Nothing odd here, if you'd ask me...
Arjan.

Manual setting JVMID

Hi,
There are situations where we need requests go through a particular instance of the cluster.
Knowing that http server plugin mantains the stickness over a weblogic cluster using the jvmid part of JSESSION cookie,
is there a way to force Weblogic JVMID at startup ?
Thanks,
Christian.

Dominique4631 wrote:
That's the problem, when I scroll down the mms settings do not appear only the apn settings, the mmsc settings do not appear
I have the exact same issue as well.
Rogers Z10 - OS 10.2.1.1925 (I have tried multiple OS's ever since OS 10.1 it has had this problem)
My Text Advanced settings are:
Advanced
SMS
Allow Special Characters On
Service Center Address +17057969300
Routing Preference Circuit Switch Prefered
Send Text-Only Messages as Automatic
Retires 3
APN Settings
APN ltemobile.apn
Username (blank)
Password (blank)
Are these the same settings that everyone else has????????
See picture below
Thanks,
Brian

Cookie set on the request from flex disappers

All,
I need to set cookie for calls from flex. So on the server side I set the cookie and send the response back to flex. I used tools like tamperdata and debugbar to monitor the request calls and I found that the cookie i set is available + a
JSessionID cookie is also available in the response headers "
Set-Cookie".Since cookie is set on the response headers, it is expected to be available in all the next successive calls.
But on my next successive call I see only the the Jsession id for all the calls. And in some call i see the cookie I set.
I use caringorm framework. So far I have analysed and found that if the call goes from same delegate I see my cookie, but if its from different delegate then i don't see the cookie in the request. I tried using same delegate for all my commands by creating objects of the same delegate but still it didn't work.
I feel creazy when i thing why only JseesionId is available in the cookie and not the one which i set in the calls irrespective of the delegate. I am not sure where i am going wrong. Even when i try to do document.cookie in the external interface call or in the URL using Javascript alert I only see a empty string not ven the Jsession id in the document.cookie. some thing is really creazy.
Sicne result event does not have the option of cookie, is flex eating the cookie set on the response. Then why on Jsessionid is available? I have also seen that in HTTPServiceMessage has an option of recordHeaders. Is my isseu is related to this. If so please let me know an example to use this. I am going insane with this issue. Please help!!

It's probably not the same delegate you need to hit, but exactly the same HTTPService.
This is a bit I've gleaned from encountering similar issues, so it might not be exactly right!
The Flash Player attaches the cookie info into the Channel that is used to make the call. If you want the same cookie, you need to use the same Channel.
The jsessionid you are seeing is the way the same session is indicated to back end resources, so if two Flash apps hit the same service it knows they are different.
The way I'm currently playing with, is to keep the ChannelSet around and inject it into Services as I need them, that's covering most of my problems!

Application lost existing session due to new jsession id.

Hi Team,
We have three linux box in production and each box contains apache and weblogic managed server.
IP and apache port is configured in our ACE load balancer.
-----A1---M1
|
ACE- --|-----A2---M2
|
-----A3---M3
A1,A2,A3-Apache servers, M1,M2,M3 - Managed servers.
apache version is 2.2.22 and weblogic version is 11G. mod_wl.so is used to redirect from apache to weblogic.
Each apache will redirect to corresponding managed server.
Our application(java based) is deployed in weblogic cluster.
when the user test the application via load balancer, it cater the request to apache and apache redirect to managed server.
The problem is new jsession id is creating in between some request and application lost our existing session
we have captured http headers and have seen new cookie created in response header.
<header>Set-Cookie: JSESSIONID=pjrLRs2QCPpnP89p553Y4y0MfGp6rTy3kv4sP5TQG5MV3mV4xmfm!-1368207527; domain=.abc.com; path=/; secure=true</header>
The above problem doesnt happen when we use single apache server.
-----A1---M1
|
ACE -| A2---M2
|
A3---M3
Can you please help here to sort out this issue.
Regards,
Ganesan
Edited by: 992087 on Mar 6, 2013 2:39 AM

jpark5009,
Thank you so much for the full details on the issues that you are having. I do apologize that no one has reached out to you after the call was lost. We want to make sure we get a chance to review the account. The only way we can do that is to be in a direct message. I did send you a direct message. Please respond back to that message.
KevinR_VZW
Follow us on Twitter @VZWSupport

CSS Load Balancing with Cookies

We are trying to load balance 2 backend servers hosted on Websphere with advance balance cookies method.
Restrictions
ServerA is unable to accept cookies generated from ServerB.
ServerA and ServerB are generating random cookies
Unable to modify cookie string with a constant.
How can we load balance based on cookies considering the above restrictions?
We have attempted to do hash based load balancing with cookies but the problem we run into is the servers do not accept cookies generated from another server.
The configuration we tried is written below:
service ServerA
ip address 192.168.10.2
keepalive type tcp
keepalive port 80
active
service ServerB
ip address 192.168.20.2
keepalive type tcp
keepalive port 80
active
content ABC
url "/*"
add service ServerA
string prefix "JSESSIONID="
advanced-balance cookies
port 80
add service ServerB
string skip-length 5
string process-length 16
string operation hash-xor
protocol tcp
vip address 172.16.32.1
active
Can we change the string prefix to JSESSION instead of JSESSIONID= ?
The only place the app guys can add a constant string to match on is before the = sign.
Is it possible for CSS to match on a constant string before = sign e.g below:
service ServerA
ip address 192.168.10.2
keepalive type tcp
keepalive port 80
string id567=
active
service ServerB
ip address 192.168.20.2
keepalive type tcp
keepalive port 80
string id123=
active
content ABC
url "/*"
add service ServerA
string prefix "JSESSION"
advanced-balance cookies
port 80
add service ServerB
string skip-length 0
string process-length 6
protocol tcp
vip address 172.16.32.1
active

It should work.
There is no reason for it not to work...
This is the best method you can have on the CSS for stickyness.
Get a sniffer trace on the client and server with arrowpoint cookie configured on the CSS and capture a failure so we can see what is going on.
also send me the config so I can verify everything is ok.
If you have a service request open with the TAC, you can also give the SR # so I can review what has been done.
Gilles.

JSESSION Cookie

Similar Messages

Maybe you are looking for