Sharing JSESSIONID cookie across subdomains on JBoss

The problem with sharing cookie with JSESSIONID value arises when we start use subdomains system in our application. For example: images.portal.com, security.portal.com, etc.

Respectively a cookie with unique JSESSIONID value will be created for each domain address and you can get some problems. For example, with autorization if it stores credentials in session. So for our example we will have three diffrent cookies with three different session ids.

# Domain Value
1 portal.com JSESSIONID1
2 images.portal.com JSESSIONID2
3 security.portal.com JSESSIONID3

Not very good, really?) Our cookie must have “.portal.com” domain to starts sharing across all subdomains (and there also will be only one session cookie instead of three). I didn’t find any standart solution for this problem. Possible solutions are:

  1. hardcode domain name in TomCat source files and recompile them (heh, I think this is the most popular solution for this problem over the Internet, but it isn’t our way);
  2. use custom valve to set domain name (very flexible solution, so we will used it);
  3. write cookie with true domain from application. But this will make your application logic more complicated and you will have two cookie with identical JSESSIONID value and different domains. “.portal.com” — from your application, “portal.com” — from TomCat.

Valve is the great software development company and it is also a filter that can do some transformation with request. In our case the valve must takes session cookie from request and rewrites its’ domain to some that we setup in config file. It’s very easy, ’cause problem is already solved. From previous link we saw how to work with valve and now we can go here.

Step-by-step guide (for JBoss 4.2.3):

  1. download customvalve2.zip file;
  2. put customvalve.jar file from archive to “JBOSS_HOME/server/YOUR_CONFIGURATION/lib” folder;
  3. add string “<Valve className=”com.redhat.jboss.support.ConfigureSessionCookieValve” cookieDomain=”.portal.com” />” to your host in “JBOSS_HOME/server/YOUR_CONFIGURATION/jboss-web.deployer/server.xml” file. Looks like:
    <Host name="localhost"
        autoDeploy="false" deployOnStartup="false" deployXML="false"
        configClass="org.jboss.web.tomcat.security.config.JBossContextConfig"
        >
        ...
        <Valve className="com.redhat.jboss.support.ConfigureSessionCookieValve"
            cookieDomain=".portal.com" />
        ...
    </Host>

And at last let us see the method that does all work (located in ResponseWrapper.java):

// Called from addCookie() and addCookieInternal() methods.
protected void configureSessionCookie(Cookie cookie) {
    if (Globals.SESSION_COOKIE_NAME.equals(cookie.getName())) {
        if (cookiePath != null) {
            cookie.setPath(cookiePath);
        }
        if (cookieDomain != null) {
            cookie.setDomain(cookieDomain);
        }
        if (cookieSecure != null) {
            if (cookieSecure.equalsIgnoreCase("true")) {
                cookie.setSecure(true);
            } else if (cookieSecure.equalsIgnoreCase("false")) {
                cookie.setSecure(false);
            }
        }
    }
}

That’s all!) Valve sources lie in downloaded archive so they can be easily modificated for your purposes.

2 thoughts on “Sharing JSESSIONID cookie across subdomains on JBoss

  1. Jigna Joshi

    i have put some debug statements in configureSessionCookie method in ResponseWrapper class…No debug statements got printed…that means addCookie() method is not getting called…from where this method is called?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *