session aware applications_问答_开发者_运维开发者技术经验分享

开发者 https://www.devze.com 2023-02-27 17:47 出处：网络

I intentionally wrote \'se开发者_如何学Cssion aware\' instead of \'session shared\' applications. Following is a scenario:

I intentionally wrote 'se开发者_如何学Cssion aware' instead of 'session shared' applications. Following is a scenario:

I have a webapp (WA1) deployed in one instance of Tomcat.. Assume that all apps are deployed on root and we are not dealing with contexts. This application allows users to login, do their thing on site and logout.

There is another webapp (WA2) on another tomcat instance. This application handles a service, lets say, it reads some files and streams to the browser.

WA1 serves a page which has a link that links to WA2.

Now I have a valid session in WA1 which identifies who the user is and if the session is a valid session. I would like WA2 to know it before honoring the request from the page served by WA1.

What is the best way to handle this?

I have ruled out sharing sessions (unless that is the better way, please explain), due to the reason that WA1 could be itself load balanced and WA2 could be load balanced, and to keep shared sessions over two load balanced instances of the app may get overwhelming.

I am leaning towards a 'token' mechanism.. where WA1 creates a token associated with every session and makes it available to every url to WA2 from any page served from WA1. WA2 would first inspect the token, and see if it is a valid token (many ways to do this: A: make a web-service call to WA1 to ask if token is a valid session token.. B: WA1 persists to DB or file system and WA2 seeks from there.. ), and if it is valid, then honor the request. The issue here would be to make sure that the token is invalidated when a session in WA1 expires.

I would like to know if this approach is good enough, or are there better ways to do this?

Thanks

M. Rather

By default, the servlet API uses a cookie, typically named jsessionid, to store a session ID in each browser. Then, the browser passes the cookie to the server with each request. As long as both instances of tomcat are within the same domain, they should both have access to that cookie. Unless I'm missing something, it's just a matter of testing for that cookie in the second application.

Update: Even if each instance of tomcat runs in a different domain, they can still share these cookies by calling the setDomain(String domainPattern) method of the Cookie class.