I use a Tomcat-based app and haproxy. It has worked fine and overall it doesn’t have any issues (use JSESSIONID as the cookie to maintain session). But I tried to add the following code to my app in order to give users a 1 minute warning when their session will timeout and then auto-log them out if it has expired:
On JUST Tomcat, this works as expected. BUT if I am using haproxy in front of the app, the sessionExpiry cookie’s value is getting reset every 3 minutes ? Is there a reason for this? Is there a way to disable this?
Ok, here it is stripped of any personal data … another note, we have the EXACT same config on another server and it doesn’t have the issue at all? I can’t understand why this server is randomly updating a cookie value? Haproxy.cfg (remember we are using Tomcat on the backend):
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
maxconn 10000
I figured it out So we have a bunch of apps hosted at say something.hosted.com under their own sup path like /app1
Well the code that was making the session timeout cookie was setting the path as root (or slash) … it should have been using path ‘/app1’. So the browser, if you’ve been to more than one of these sites, was confused as to WHICH cookie it’s pulling because the ‘cookies’ for something.hosted.com would be ALL the apps not just app1.
So we have a bunch of apps hosted at say