This problem is driving me crazy, so maybe someone can help me understand what the problem is. I have a tomcat web application that issues HAProxy. HAProxy also performs SSL offloading and is configured to use sticky sessions. I am using Tomcat's session replication feature, which seems to be working fine. Sessions are displayed on both application servers.
For some reason, Tomcat generates a new JSESSIONID for each individual web request, and then copies the contents of the old session to a new session. That is, the contents of my session are still present in the new session, but a new identifier is created and sent back to the client. But this is only for my web application. This does not do this for the / manager application.
I tried every trick in the book, such as setting this in my .xml context:
<Valve className="org.apache.catalina.authenticator.BasicAuthenticator" changeSessionIdOnAuthentication="false" />
And setting these attributes to your Context element:
<Context path="/myapp" reloadable="false" override="true" useNaming="false" allowLinking="true" useHttpOnly="false" sessionCookiePath="/" sessionCookiePathUsesTrailingSlash="false">
And still the result will be the same. Tomcat generates a new session identifier with each request and copies the contents of the old session to the new identifier.
I suspect this is due to HAProxy, except that the / manager application is also behind HAProxy and it does not exhibit this behavior.
Why is Tomcat doing this and what can I do to prevent it?
source
share