How to prevent jboss node name from being added to sessionid

Asked 7/12, 2018 at 13:20 Answered 1/12, 2022 at 20:41

java spring-boot jboss wildfly jsessionid

Recently, we have upgraded our application server from JBoss EAP6.2 to EAP7.0.

Even though it runs non-HA profile aka standalone.xml, JBoss adds jboss.node.name at the end of JSESSIONID cookie.

For example,

Spring Boot generates a JSESSIONID as tHSf9v23SSDBMqJ1O7XFJZ9.... and when the request comes to browser, the cookie becomes tHSf9v23SSDBMqJ1O7XFJZ9.master:<jboss.node.name> which causes some compatibility issues.

I've run some experiments by manually calling response.addCookie. In that case, it does not add master suffix to the cookie. However, if Spring itself writes the cookie, it seems that JBoss picks it up and add master suffix. I know this case can be little confusing (it is to me), I'm happy to provide more information.

Huang answered 7/12, 2018 at 13:20 Comment(8)

Its default behavior, I dont think its possible to change. – Serve 11/12, 2018 at 4:28

I know it is by default, but I feel like there should be some way to override this behavior – Huang 11/12, 2018 at 6:12

Have you tried removing instance-id attribute from <subsystem xmlns="urn:jboss:domain:undertow:3.1" instance-id="node2"> – Catkin 12/12, 2018 at 19:50

Maybe you find something useful here developer.jboss.org/thread/276894 – Nautilus 14/12, 2018 at 13:45

Seems you are not the only one facing this issue... developer.jboss.org/thread/171103?_sscc=t – Bombast 16/12, 2018 at 15:47

I think you should never rely under any circumstances upon the return value of javax.servlet.HttpSession.getId() so you have to generate own session id using org.util.UUID class. – Pythagoreanism 18/12, 2018 at 5:38

@DHARMENDRASINGH it's quite a long story and I cannot change the code right now. I have to fix this issue somehow. I'll try what AtulK suggested – Huang 18/12, 2018 at 5:43

Removing the instance id will not help as JBoss would simply use the instance id from it's configuration as default. But you can change it into something not meaningful for outsiders. – Foretoken 1/12, 2022 at 20:43

An old thread, but for those who still stumble upon it:

In EAP7/Wildfly11+ the session cookie will have a value in form :

<sessionId>.<instanceId>

Where instanceId is taken from Undertow subsystem config attribute instance-id. By default it is going to be set to value of jboss.node.name system property in standalone mode, and to <serverGroup>:<hostname> in domain mode.

You can customize the instanceId value via Undertow subsystem config: Either via standalone.xml:

 <subsystem xmlns="urn:jboss:domain:undertow:3.1" instance-id="${myValue}">

Or via corresponding cli:

/subsystem=undertow:write-attribute(name=instance-id, value=myvalue)

In which case you get a final JSession id that looks sth like this:

JSESSIONID=FdEyt_nZvyAV1gKpQ_3ZsSYeu41JycphvMdHcYeT.myvalue

Ammerman answered 31/8, 2021 at 8:55 Comment(0)

The answer from @yntelectual is dead right and should be the accepted answer. I just want to complement the fact that the observed behaviour is not a JBoss speciality.

It was introduced so Apache mod_jk and mod_proxy know which one of several possible application servers is working on a given session, and Apache Tomcat as the reference implementation for servlet containers shows exactly the same behaviour. Other containers such as JBoss, Glassfish, Geronimo do the same.

Check

jvmRoute on https://tomcat.apache.org/tomcat-9.0-doc/config/engine.html
jvmRoute on https://tomcat.apache.org/connectors-doc/reference/workers.html
route on https://httpd.apache.org/docs/2.4/mod/mod_proxy.html
jvmRoute on https://docs.oracle.com/cd/E18930_01/html/821-2416/gfaad.html
jvmRoute on https://geronimo.apache.org/GMOxDOC11/geronimo-tomcat-host-level-clustering-sample-application.html

Foretoken answered 1/12, 2022 at 20:41 Comment(0)

Recommended topics

Hot tags