Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Dynamic session cookie name


Silvio,

eitherway it is a bit of work.   To extend the SessionManager in 9.4, you need to change SessionHandler methods:
  • checkRequestedSessionId
  • getSessionCookie
  • getSessionIdPathParameterName
depending on the request params, which not all of them have access to.  You may need to set a thread local, but then you'll need to be wary of async stuff, so you may need to set that thread local in a ContextHandler ScopeListener as well.

RewriteHandler approach is pretty straight forward on the inbound side, as you can change the request however you want, but it is more complex on the outbound side to do he rewriting and change the cookies.   Maybe you need to wrap the response.

Hard to say which is the best approach without giving it a go and without knowing exactly all your concerns and motivations.

cheers



On 10 December 2016 at 01:45, Silvio Bierman <sbierman@xxxxxxxxxxxxxxxxxx> wrote:
Hello Christoph,

Since the sessions contain non-serializable state they are not suited for this type of clustering. Clustering is done at a different level in this system, not at the user session level.

The session concept fits fine. The only problem I have is that I need to have more than one at the same time in the same browser. Which is very easy when tracking sessions in the URL and very difficult tracking them with session cookies.

Cheers,

Silvio



On 12/09/2016 11:06 AM, Christoph Läubrich wrote:
BTW: Jetty supports Clustered Sessions with the JDBCSessionManager

But if the Session concept itself does not fit your needs, why don't you use a custom storage for this instead? You can even then store this in the (single) User-Session ;-)

Am 08.12.2016 13:42, schrieb Silvio Bierman:
Hello all,

I have an application that needs to explicitly spawn sessions for a user. The main reason is that it needs to either open multiple browser windows each accessing their own separate session or it redirects the user through different sessions. For several reasons this can not be retrofitted into a single session, one of which is that the sessions currently can reside on a different node in a sort-of-cluster (sticky).

Currently the applications uses URL-based session tracking. This works flawlessly but for security reasons I would like to change the session tracking mechanism. Since I can not spawn new sessions in a Jetty server while handling a request that already has a session associated with it (or can I?) I am thinking of the following scheme:

When I need a new session I create some kind of session-token and stuff that in the URL. Then that requests is handled by Jetty and I would like Jetty to attach a session to it tracking it with a session cookie. BUT: I want Jetty to use the session-token as the name of the session cookie. That means that I would need to hook the SessionManager to make the session cookie name dependent on the request.

Is this at all possible? Or are there better ways to do this?

Cheers and thanks in advance,

Silvio

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



--

Back to the top