An easier way to setup terracotta session replication in tomcat 6

The post i wrote some time ago about configuration of session replication in tomcat can be done in a much easier way now. Instead of setting up clustering of session objects via bootjars and heavy voodoo all we have to do now is configure a session replicating valve in your tomcat using application scoped meta-inf/context file!

How to setup terracotta session clustering and replication for apache tomcat 6

Terracotta is an amazing piece of software and it comes with some really cool tools and features. To enable Tomcat 6 session replication via terracotta you need to do a few things but its relatively simple lets do it.

Security considerations of single signon in context of XSS

when you think of it at first it sounds like a great idea. All you have to do is set a global cookie for the main domain and based on that perform authentication. User will be able to go from subdomain to dubdomain and still remain authenticated.

Unfortunately there is second side to this story : )

XSS attack within CSS file or injected into page inline style

There is a very little known method of injecting javascript int CSS files. It would not work in all the browsers (works in my latest IE8) but it is important fact to know.

Basics of Cross Site Scripting AKA XSS and XSFR

Cross site scripts lead to a number of security issues. The most important to remember are:

  • Session Hijacking - hacker steals user's session by getting his cookies and gets access to user's account
  • Cross Site Forgery Request - hacker uses users account to perform operation that was not intended at all

PHP session in Mysql VS Memcached

In my previous companies we used to serve sessions from mysql via a custom made session handlers and to be honest we never really had any problems with it. I cant actually remember the traffics and concurrency rates but it was not that low. Currently the solution im working with uses memcached for sessions storage, the default build in session handler. I am a bit worried about the way it works with memcached.

Problems with memcached sessions in PHP

First of all memcached is a cache storge engine and it was not designed with sessions in mind. The way php extension uses memcache causes a few more problems in the long run. Here are my concerns:

Another cookie rejection pitfall - problems with null path and domain

There are another two pitfalls easy to stumble upon when it comes to cookies. These are path and domain related issues. Not setting path on your persistent cookies might be frustrating. Read for more details.

Syndicate content

About the author

Artur Ejsmont

Hi, my name is Artur Ejsmont,
welcome to my blog. I am a passionate software engineer living in Sydney and working for Yahoo!

Web Scalability for Startup Engineers

If you are into technology, you can order my book Web Scalability for Startup Engineers on Amazon. I would love to hear what are your thoughts so please feel free to drop me a line or leave a comment.

Follow my RSS