Am 23.03.2018 um 11:19 schrieb Martin Knoblauch:
Hi Rainer,
so basically I took the Apache path and ended up with the following brute
force method:
RewriteCond "%{REQUEST_METHOD}" "GET"
RewriteRule ^/xxx/facelets/logon.xhtml$ - [E=login_jsid:%{HTTP_COOKIE}]
CustomLog "/opt/xxx/apache2/logs/login_log" xxxlogheader env=login_jsid
RequestHeader unset Cookie env=login_jsid
GET requests on the login page from the same client/browser now end up on
different nodes.
Looking at JK_STICKY_IGNORE, this seems also to work as well:
RewriteCond "%{REQUEST_METHOD}" "GET"
RewriteRule ^/xxx/facelets/logon.xhtml$ - [E=JK_STICKY_IGNORE]
CustomLog "/opt/xxx/apache2/logs/login_log" xxxlogheader
env=JK_STICKY_IGNORE
I like this actually better, as it does not need to mess with the Cookie.
This is better when components like SiteMinder (for SSO) are involved. I
will give that into our testing/integration environments to see whether we
have any bad side effects.
So thanks again for the valuable input. I will also have a look at the
filter/valve suggestions. But they look more intrusive and getting approval
[did I say big professional organisation somewhere :-)] for that might be
more difficult.
Thanks for the feedback, let us know if you run into surprises :)
As I understand Chris, he plans to backport the tomcat valve so that it
will be a configurable standard part of all supported Tomcat versions.
That at least would lower the future cost of getting it used in
enterprise environments (from code addition down to config addition).
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
