The post i wrote some time ago about configuration of session replication in tomcat can be done in a much easier way now. Instead of setting up clustering of session objects via bootjars and heavy voodoo all we have to do now is configure a session replicating valve in your tomcat using application scoped meta-inf/context file!
Terracotta is an amazing piece of software and it comes with some really cool tools and features. To enable Tomcat 6 session replication via terracotta you need to do a few things but its relatively simple lets do it.
when you think of it at first it sounds like a great idea. All you have to do is set a global cookie for the main domain and based on that perform authentication. User will be able to go from subdomain to dubdomain and still remain authenticated.
Unfortunately there is second side to this story : )
Cross site scripts lead to a number of security issues. The most important to remember are:
- Session Hijacking - hacker steals user's session by getting his cookies and gets access to user's account
- Cross Site Forgery Request - hacker uses users account to perform operation that was not intended at all
In my previous companies we used to serve sessions from mysql via a custom made session handlers and to be honest we never really had any problems with it. I cant actually remember the traffics and concurrency rates but it was not that low. Currently the solution im working with uses memcached for sessions storage, the default build in session handler. I am a bit worried about the way it works with memcached.
Problems with memcached sessions in PHP
First of all memcached is a cache storge engine and it was not designed with sessions in mind. The way php extension uses memcache causes a few more problems in the long run. Here are my concerns:
There are another two pitfalls easy to stumble upon when it comes to cookies. These are path and domain related issues. Not setting path on your persistent cookies might be frustrating. Read for more details.
About the author
Hi, my name is Artur Ejsmont,
welcome to my blog. I am a passionate software engineer living in Sydney and working for Yahoo!
If you are into technology, you can order my book Web Scalability for Startup Engineers on Amazon. I would love to hear what are your thoughts so please feel free to drop me a line or leave a comment.