SessionExpiry resetting ever 3 minutes?

I use a Tomcat-based app and haproxy. It has worked fine and overall it doesn’t have any issues (use JSESSIONID as the cookie to maintain session). But I tried to add the following code to my app in order to give users a 1 minute warning when their session will timeout and then auto-log them out if it has expired:

On JUST Tomcat, this works as expected. BUT if I am using haproxy in front of the app, the sessionExpiry cookie’s value is getting reset every 3 minutes ? Is there a reason for this? Is there a way to disable this?

Share you configuration please, especially regarding timeouts, load-balancing, cookie insertion and server selection.

Ok, here it is stripped of any personal data … another note, we have the EXACT same config on another server and it doesn’t have the issue at all? I can’t understand why this server is randomly updating a cookie value? Haproxy.cfg (remember we are using Tomcat on the backend):

log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
    ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048

maxconn 10000

maxconn 60000
log global
mode http
option forwardfor
option http-server-close
option httplog
option dontlognull
timeout connect 10000
timeout client 30m
timeout server 30m
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /usr/local/telmast/www/connection_error.html
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /usr/local/telmast/www/connection_error.html
errorfile 504 /etc/haproxy/errors/504.http

frontend www-http
bind 10.X.X.X:80
redirect scheme https code 301 if !{ ssl_fc }

frontend www-https
bind 10.X.X.X:443 ssl crt /usr/local/app/soft/ssl/private.keystore.pem

reqadd X-Forwarded-Proto:\ https
rspirep ^Location:\ http://(.*) Location:\ https://\1

acl url_demolab path_dir demolab
use_backend demolab if url_demolab

backend demolab
cookie JSESSIONID indirect nocache
server s1 10.X.Y.Y:80 check cookie s1

I figured it out :frowning: So we have a bunch of apps hosted at say under their own sup path like /app1

Well the code that was making the session timeout cookie was setting the path as root (or slash) … it should have been using path ‘/app1’. So the browser, if you’ve been to more than one of these sites, was confused as to WHICH cookie it’s pulling because the ‘cookies’ for would be ALL the apps not just app1.

1 Like