Thursday, October 13, 2011

when running in a cluster with multiple processes/nodes, session is lost because the mod_oc4j cannot route to the "correct" OC4J node/process

Visit the Below Website to access unlimited exam questions for all IT vendors and Get Oracle Certifications for FREE
http://www.free-online-exams.com



Problem: when running in a cluster with multiple processes/nodes, session is lost because the mod_oc4j cannot route to the "correct" OC4J node/process
Wanting to set the "secure" and "httponly" flags for the session cookie, a servlet filter like the following has been created:

public final void doFilter(final ServletRequest servletRequest,
final ServletResponse servletResponse, final FilterChain filterChain)
throws IOException, ServletException {

final HttpServletRequest request = (HttpServletRequest) servletRequest;
final HttpServletResponse response = (HttpServletResponse) servletResponse;

if (!response.containsHeader("SET-COOKIE")) {
final String sessionId = request.getSession().getId();
final String contextPath = request.getContextPath();
String secure = "";
if (request.isSecure()) {
secure = "; Secure";
}
response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionId
+ "; Path=" + contextPath + "; HttpOnly" + secure);
}

filterChain.doFilter(servletRequest, response);

}

This works quite well as long as the OC4J instance consists of only one process, but when running in a cluster with multiple processes/nodes, the jvmroute information is not contained in the so-generated cookie, and thus the session is lost because the mod_oc4j cannot route to the "correct" OC4J node/process.




Symptoms:
OC4J generates the session cookie at committing the request -- i.e. at the latest possible moment, and generates it in a way that is independent / beyond all other cookies which are set with setCookie() or setHeader()
The mechanics how the "jvmroute" is used for it -- even the jvmroute information at all is not accessible at the application level (=filter level).

As a conclusion from that, you cannot use a servlet filter to generate the session cookie -- you need to leave the creation of the session cookie to OC4J.


Solution:





Issue is due to bug 5908683 ADD SUPPORT FOR "HTTPONLY" ATTRIBUTE ON SESSION COOKIE
Specify the cookie domain like ".oracle.com; HttpOnly"

In order to add the "secure" flag you can use the set-secure attribute, documented in

Oracle® Containers for J2EE Servlet Developer's Guide
10g (10.1.3.1.0)
Part Number B28959-01
B Web Module Configuration Files
http://download.oracle.com/docs/cd/B32110_01/web.1013/b28959/xmlfiles.htm#CJAGCICC


In order to set the "HttpOnly" flag there is no direct support for it, but to configure the cookie-domain setting like "your.domain.com; HttpOnly" would do the trick, and setting the cookie path in a similar way like "/myapp/; HttpOnly" would work, too.


Surely this is better supported by the WebLogic Server, which has many more settings in order to configure the session cookie, see

Oracle® Fusion Middleware Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server
11g Release 1 (10.3.3)
Part Number E13712-02
B weblogic.xml Deployment Descriptor Elements
session-descriptor
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13712/weblogic_xml.htm#WBAPP587



References:
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13712/weblogic_xml.htm#WBAPP587

http://download.oracle.com/docs/cd/B32110_01/web.1013/b28959/xmlfiles.htm#CJAGCICC
Get Oracle Certifications for all Exams
Free Online Exams.com

5 comments:

Anonymous said...

xanax without a perscription xanax 250 dosage - xanax overdose erowid

Anonymous said...

xanax online is generic xanax as strong - took 3 xanax bars

Anonymous said...

alprazolam without prescription xanax no prescription review - xanax bars yellow white

Anonymous said...

generic xanax alprazolam 2mg generic xanax - reverse effects xanax

Anonymous said...

buy tramadol online tramadol saturday delivery no prescription - tramadol make you high