Java: Can I redirect clients to the same session /node behind load-balancer through application?

Question

I have a webapp where a user should be able to access the same session (jsession) through different clients (i.e. from a pc-browser and from smartphone-browser) at the same time.

Example:

A) Person X will access the system through his PC. For expample by browsing http://example.com/testapp?workon=123. The Server will create an new JSESSIONID send it back to the client and store some value - say 'abc' inside his session.

B) Now the same Person X will access the same URL from his smartphone and be able to retrieve the value 'abc' from the session in subsequent requests.

This will not work out of the box, because in B) the client will get a new Session and JSESSIONID which is different than the one provided in A).

When I now force the server to supply the same JSESSIONID to B) as it did in A) will they both be able to access the same session? Is this possible?

I'm asking this, because I want to achieve the following:

The application is running behind a load balancer that has sticky sessions enabled by using the JSESSIONID.

I want to achieve that B will be redirected to the same cluster-node as A) on subsequent requests of B).

The request-parameter "workon" here is just an example. In reality this is a token that the load-balancer cannot understand. Only the application is able to understand and decode the content of the "workon" parameter.

It will be no problem that the first request of B) will go to any node. Any node is able to decode the "workon" paramter any supply the correct JSESSIONID for it to the client. But subsequent request should be redirected to the same node as requests from A) go to.

I do not want to use Session-Sharing across nodes, because of performance issues. The sessions-data is rather large. I want to redirect B) to the same node as A) based on the first Request of B)

Any ideas?

Edit to reflectt questions in comments:

On request A) there is the request parameter "workon" this identifies some record inside a map. This record contains the user and the jsessionid for securely binding. so the load balancer cannot find out the user for the request. The user is not authenticated using any login.

On request B) (from the smartphone) the phone sends a userid and a token on the first request (inside the json/xml payload). the apllication checks that the token is valid for that user (again using some map), then finds the latest "workon" for that user and sends this "workon" back to the smartphone. On subsequent request (Those should go to the same node as A) the smartphone sends the token and the workon parameter.

Answer 1

you cannot use the JSESSION ID token directly if you want the node assignment to persist across different browser (a pc and a mobile as i nyour example)

you would need authentication for that - after authentication you set a cookie on the client which is unique for each user - do not use this cookie to check if the user is authenticated: it will open you to all kind of security issues. just make sure that after logon an user get always the same cookie value

use that cookie to implement sticky session in your load balancer. specific will change according to the balancer, but most of them should understand cookies.

the specific name and content of cookie varies across load balancers. here is a sample with apache server apache load balancer: http://httpd.apache.org/docs/current/mod/mod_proxy_balancer.html http://www.markround.com/archives/33-Apache-mod_proxy-balancing-with-PHP-sticky-sessions.html/

here another one with haproxy: Load Balancing (HAProxy or other) - Sticky Sessions

notice that for haproxy you should enable the 'preserve' option in configuration, so that the server is in control of the cookie content and can stick the same user to the same backend (after authentication)