質問
We have a weblogic application that needs to support being served from multiple domains (e.g. "foo.com" and "bar.com"). Once a user initiates a session on one of these domains they can visit to subdomains off that primary domain (e.g. "a.foo.com", "b.foo.com") and share that session across all of these subdomains. If a user jumps from "foo.com" to "bar.com", they will lose their session, which is fine.
We were able to successfully implement this on JBoss/Tomcat by customizing a 'Valve' to rewrite the session cookie to always be at the top level domain for the serverName that is being requested (i.e. request.getServerName()).
However, we are currently in the process of migrating our application from JBoss to Weblogic and are trying to figure out how to support the same requirement. We have found that weblogic does allow for sharing sessions across multiple subdomains of a single domain by setting the 'cookie-domain' property within the weblogic.xml:
https://stackoverflow.com/questions/21708114
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<session-descriptor>
<cookie-path>/store</cookie-path >
<cookie-domain>.foo.com</cookie-domain>
</session-descriptor>
However, we haven't figured out how to configure support for multiple domains (i.e. both foo.com and bar.com). From what we can tell, the weblogic.xml file doesn't support this.
If we only configure one of the domains in the weblogic.xml, sessions do not work properly for the domain that is not configured (i.e. every request leads to a new session).
Any ideas on how we can support sessions across different domains for a single web-app on weblogic?
We are running on Weblogic 12c.
解決
As of WebLogic 12c, Oracle confirmed that what we were trying to do is not currently supported. There are also no immediate plans to implement such a feature.
The workaround that we chose to implement was to use mod_rewrite to rewrite the domain of the JSESSIONID cookie at the HTTP server level to be the domain of the request.
他のヒント
I believe such an option should NOT be supported. If it is allowed then nothing prevents hotmail.com from configuring yahoo.com (say) in its configuration file and getting access to yahoo's JSESSIONID value.
