In case of SaaS applications, where the same server plays host to multiple applications. How are session attributes maintained? To elaborate the question: AppA, and AppB are hosted on the same machine, I now create UserA for AppA and UserB for AppB. AppA and AppB belong to different organizations so they are not linked. Some details about the user are stored at http session level (until the session times out). So now if I log in to both AppA and AppB from the same browser using different tabs, I may end up seeing some of UserA/AppA details on the UserB/AppB screen or vice-versa. How can such a problem be solved? One solution I can think is to create subdomains like appa.example.org and appb.example.org. Is there any other/better way?
Asked
Active
Viewed 1,614 times
0
-
If the apps belong to different organizations, will there be a real-life scenario where they can be accessed from the *same browser* – JoseK Sep 02 '10 at 11:04
-
@JoseK Yes, there will be. The apps do belong to different organizations but they are accessible over the Internet, not just within the internal network of an organization. If a user is enrolled with both organizations, they might open them both at the same time. – saugata Sep 02 '10 at 12:14
2 Answers
1
The best solution I've come up with was inspired by this question. I've pointed multiple contexts to the same war file:
<Service ...>
<Engine ...>
<Host ... autoDeploy="false">
<Context docBase="myapp.war" path="/tenant1"/>
<Context docBase="myapp.war" path="/tenant2"/>
</Host>
</Engine>
</Service>
This is essentially the same as making copies of myapp.war called tenant1.war, tenant2.war, etc. Each tenant is technically running thier own webapp, even though they're all running the same code. If you have users with credentials on two or more tenants, they can log on to both at the same time, and each webapp will get its own session, because the JSESSIONID cookies containing the session ID are each tied to a specific context path.
There are drawbacks to this approach. For one, all the classes in the war file get reloaded for each tenant, so I'll have to keep an eye on PermGen space. For another, I'll have to edit server.xml every time a new tenant comes along. Have you found a better solution?
-
I added a level of indirection. All my (Spring)controllers extend a BaseController that exposes a method like Context getContext(tenant){ if tenant has a context in session check that last access time is within tenants session timeout, otherwise clean the old context, if any, and create a new context, update access time, update app server session timeout to max of all tenants in session and return}. Context is just a map of string,object. All other servlets/controllers/jsps read/write to Context rather than session. – saugata Jun 11 '12 at 07:24
-
The tenant name itself is derived from URL requested. URLs are like http://host/warname/tenantname/resource.htm – saugata Jun 11 '12 at 07:31
1
Normally you will not see details from one app in another app.
When a session is created it is created inside the web application and identified by a key. This session-id is what is stored in a cookie or passed in some other way to identify which session object to refer to on the next request.
If you would present this session id to another webapp it won't find the attributes because they live in the other webapp.
Now, that is 'normally'. In practice this can be configured in all directions, like storing all atributes in the cookie (very useful in extreme failover scenarios), storing the session in a shared memcached layer or shared database table (then you would get the same object back in the other application of course), and so on, and so on.
Peter Tillemans
- 33,685
- 9
- 76
- 112
-
Maybe I was not clear, the two "apps" are on the same web app, they provide the same functionality, but for different organizations. Since the browser finds a cookie for the existing domain, it always sends the same cookie, including when two different tabs are open. – saugata Sep 02 '10 at 09:47
-
I think the answer to this question explains this : http://stackoverflow.com/questions/595872/under-what-conditions-is-a-jsessionid-created – Peter Tillemans Sep 02 '10 at 12:12