Simon Papillon wrote:
"as long as the domains have a common part of course"
Unfortunately in my case that doesn't hold true, its an international
site, and we've got the same domain names for different tlds e.g.:
mydomain.com
mydomain.com.ar
I am not really a specialist of Tomcat, so I'll stick to try at the
Apache level for now. Maybe it will provide an idea of how to do it at
the Tomcat level anyway.
I imagine that there is a single Apache host, with 3 virtual servers
www.mycompany.com
www.mycompany.co.uk
www.mycompany.ar
and the problem is that a browser will not send a cookie to a server
whose domain name does not at least partially match. We can also not
just set always 3 cookies, because the browser would probably reject a
cookie that the host "www.mycompany.com" would want to set for the
domain "mycompany.co.uk".
On the other hand, there must be a way by which you can tell that it is
the same user that just switched from "www.mycompany.com" to
"www.mycompany.co.uk". You were talking previously of some scheme based
on IP address. That seems a bit dangerous to me, because all requests
from behind a router doing NAT will appear to be from the same IP
address (but not the same port).
Let's imagine thus that when you get a request, you obtain the IP
address and port it is made from, and use this combination as a key.
Your 3 servers use a common "database" of user sessions, where each
session is identified by such a key.
Whenever a server gets a request, it checks the database, and if it
finds a matching key, retrieves the info stored under that key, and sets
a cookie (with its own domain) which it sends back to the browser.
Now the browser, for this new server, will re-send the cookie, and it
happens to contain the same information that was set previously by the
first server (the one who did the initial authentication and created the
initial database entry).
Are we getting somewhere ?
No, we are not. Because when the browser switches from one server to the
other, it might also start another TCP session, to which the router
would give another origin port.
But wait, it might still work, because the 3 virtual servers share in
fact the same IP address, and the router would not know that this is a
new session, because it works on the base of IP addresses, and does not
look at the "Host:" HTTP headers.
I have no idea how fragile this is, but maybe it gives you some
additional ideas ?
(It probably is quite fragile, because it depends on the browser and
server maintaining the same TCP session throughout.)
But now wait again.
Do you know about OpenID ? That may be what you are looking for, and
avoid all the stuff above.
In your case, you would run your own OpenID server, and it would
authenticate users no matter on which server they start, and keep this
authentication available for the other (registered) servers.
Go to "http://openid.net";
André
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
