I had a customer today who had problems using Tomcat sessions after configuring his application to run through mod_proxy_ajp. Everything worked correctly when hitting the application correctly on port 8080, but any attempts to hit the site through Apache and mod_proxy_ajp would result in the sessions not being saved, and a new session being created on every request.
The problem is that Tomcat is sending a Set-Cookie header with the Path that it knows about – which is different than what the browser is requesting.
The application is at http://www.mydomain.com/, and mod_proxy_ajp is redirecting that to http://localhost:8009/myapp/.
Here is the HTTP Response Headers that Tomcat is sending
HTTP/1.1 200 OK Date: Sun, 28 Oct 2007 01:39:44 GMT Set-Cookie: JSESSIONID=TOMCAT_SESSION_ID_HERE; Path=/myapp Content-Type: text/html;charset=ISO-8859-1 Content-Length: 11234 Connection: close
You can see in the Set-Cookie header that it is setting a cookie path of /myapp. The browser receives this and will only send that cookie back on requests sent for requests beginning with /myapp. Fortunately Apache 2.2 includes the ProxyPassReverseCookiePath directive to rewrite the Set-Cookie headers on these requests. You can configure a virtual host like this:
<VirtualHost *:80> ServerName www.realdomain.com ProxyRequests Off ProxyPass / ajp://127.0.0.1:8009/myapp/ ProxyPassReverse / ajp://127.0.0.1:8009/myapp/ ProxyPassReverseCookiePath /myapp / </VirtualHost>
And now the HTTP Response headers look like this:
HTTP/1.1 200 OK Date: Sun, 28 Oct 2007 01:39:44 GMT Set-Cookie: JSESSIONID=TOMCAT_SESSION_ID_HERE; Path=/ Content-Type: text/html;charset=ISO-8859-1 Content-Length: 11234 Connection: close
The browser now sees that the cookie is for / and will send the JSESSIONID cookie for all requests to this server.
3 thoughts on “Use ProxyPassReverseCookieDomain with to maintain Tomcat sessions through mod_proxy_ajp”
Hi, I have a question about Ruby on Rails sessions.
I’m planning to use a reverse proxy on production. When I use Firebug to watch the response headers, I see that a header of “Set-Cookie” is set with the same session id on every request.
Now, with every request from the same user, the reverse proxy will always think it is a new session and hence prevent caching and affect the performance.
Can you help me to fix this?
@Hatem – The fact that you are getting the same session ID seems to indicate that sessions are getting carried through properly. If they weren’t, you would likely get a different session ID on each request. I’m not familiar with how RoR sessions work to know if this is normal or not (PHP doesn’t do it from what I can tell).
Article is called “Use ProxyPassReverseCookieDomain “, but you are talking about ProxyPassReverseCookiePath, nice.