Skip to main content

Securing JSESSIONID cookie if tomcat is fronted by apache

In my previous post Creating a custom Valve in tomcat I descibed the valve solution I tried to secure the JSESSIONID cookie but it didnt worked so finally I had to patch the tomcat class to get it working. We are using tomcat 5.5.28 so I downloaded the source and modify the class apache-tomcat-5.5.24-src/container/catalina/src/share/org/apache/catalina/connector/Response.java. In addCookie method I had to add this code 


 String cookieName = cookie.getName();
 if (request != null && "JSESSIONID".equals(cookieName)) {
    String clientId = request.getHeader("X-Forwarded-For");
    if (clientId != null) {
  cookie.setSecure(true);
    }
 }

Then compile the code and replace the catalina.jar in tomcathome/server/lib

Comments

  1. UnknownDecember 3, 2010 at 5:38 PM

    Cool! Did you send patch back to ASF guys? :)

    ReplyDelete
  2. Kalpesh PatelDecember 4, 2010 at 9:35 AM

    no no its not a tomcat bug, but its the way we put apache/nginx in front of tomcat so that we don't want tomcat to handle SSL traffic. Apache handles SSL and by the time it reaches tomcat the request is no longer secure and thats why tomcat was not creating secure cookie. So it was a workaround to do it. This can also be used to set JSESSIONID a domain wide cookie in case you have diff tomcats using diff subdomain. I think newer tomcat may support this as an attribute already but we couldnt upgrade to new tomcat in this short timeframe.

    ReplyDelete

Post a Comment

Popular posts from this blog

Haproxy and tomcat JSESSIONID

One of the biggest problems I have been trying to solve at our startup is to put our tomcat nodes in HA mode. Right now if a customer comes, he lands on to a node and remains there forever. This has two major issues: 1) We have to overprovision each node with ability to handle worse case capacity. 2) If two or three high profile customers lands on to same node then we need to move them manually. 3) We need to cut over new nodes and we already have over 100+ nodes.  Its a pain managing these nodes and I waste lot of my time in chasing node specific issues. I loath when I know I have to chase this env issue. I really hate human intervention as if it were up to me I would just automate thing and just enjoy the fruits of automation and spend quality time on major issues rather than mundane task,call me lazy but thats a good quality. So Finally now I am at a stage where I can put nodes behing HAProxy in QA env. today we were testing the HA config and first problem I immediat...
Post a Comment
Read more

Adding Jitter to cache layer

Thundering herd is an issue common to webapp that rely on heavy caching where if lots of items expire at the same time due to a server restart or temporal event, then suddenly lots of calls will go to database at same time. This can even bring down the database in extreme cases. I wont go into much detail but the app need to do two things solve this issue. 1) Add consistent hashing to cache layer : This way when a memcache server is added/removed from the pool, entire cache is not invalidated.  We use memcahe from both python and Java layer and I still have to find a consistent caching solution that is portable across both languages. hash_ring and spymemcached both use different points for server so need to read/test more. 2) Add a jitter to cache or randomise the expiry time: We expire long term cache  records every 8 hours after that key was added and short term cache expiry is 2 hours. As our customers usually comes to work in morning and access the cloud file server it ...
Post a Comment
Read more

Spring 3.2 quartz 2.1 Jobs added with no trigger must be durable.

I am trying to enable HA on nodes and in that process I found that in a two test node setup a job that has a frequency of 10 sec was running into deadlock. So I tried upgrading from Quartz 1.8 to 2.1 by following the migration guide but I ran into an exception that says "Jobs added with no trigger must be durable.". After looking into spring and Quartz code I figured out that now Quartz is more strict and earlier the scheduler.addJob had a replace parameter which if passed to true would skip the durable check, in latest quartz this is fixed but spring hasnt caught up to this. So what do you do, well I jsut inherited the factory and set durability to true and use that public class DurableJobDetailFactoryBean extends JobDetailFactoryBean {     public DurableJobDetailFactoryBean() {         setDurability(true);     } } and used this instead of JobDetailFactoryBean in the spring bean definition     <bean i...
7 comments
Read more