search

magro / memcached-session-manager

A tomcat session manager that backups sessions in memcached and pulls them from there if asked for unknown sessions
Apache License 2.0
758 stars 348 forks source link

Non Sticky Session - Spring Application Logout as session becoming invalid #393

Closed cpemaratech closed 4 years ago

cpemaratech commented 5 years ago

We have deployed latest Memcached in our RedHat Linux Box.

At client side In our spring boot application we are using spymemcached-2.12.3.jar , memcached-2.3.0.jar ,tc8-2.3.0.jar

We have 2 app server behind load balancer and below is our client configuration -

memcached.session.storage.enabled=true memcached.server.hostname=XX.XX.XX.XX memcached.server.port=11211 memcached.server.user=XXXXXX memcached.server.password=XXXXXX memcached.uri.ignore.pattern=ico|png|gif|jpg|css|js|bmp|jpeg memcached.session.sticky=false memcached.session.backup.async=false memcached.session.backup.thread.count=10000 memcached.session.locking.mode=auto

Issue - When we logged in to application we are able to successfully login and see logged in user profile data. However upon subsequent navigating to other pages , our application gets logout.

We have memcached-session-manager log , spring security log , and memecached server log for your review. app-log-without-memcached.txt memcached-server-log.txt siteapp1.txt siteapp2.txt

What I noticed -

  1. Without memcached if we run on single instance and when navigate page , then in Chrome -> Developer Tool -> Application -> Cookie , we are seeing only single JSESSION ID across many request

  2. With memcached enabled if we run on single instance and when navigate page , then in Chrome -> Developer Tool -> Application -> Cookie , we are seeing multiple JSESSIONID frequently getting changed.

  3. Point#2 can be validated by verifying application log where as MemcachedBackupSessionManager create new session Id many times.

  4. There is a log from spring security which observer no presence of session and causing application to logout as it doesn't find security context.

2018-11-25 18:40:57.163 DEBUG 6507 --- [http-nio-8080-exec-10] o.s.s.w.session.SessionManagementFilter : Requested session ID 10104B61478B5087782364960D3BABD3 is invalid.

  1. The below log without memcached(default tomcat session manager) , if you noticed spring security properly identified session and so allows to navigate other pages - 2018-11-25 13:49:17.249 DEBUG 8440 --- [http-nio-8080-exec-10] w.c.HttpSessionSecurityContextRepository : Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@bae7b640: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@bae7b640: Principal: org.broadleafcommerce.profile.core.service.CustomerUserDetails@fef8ae5c: Username: a.1@cp.com; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@21a2c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: D4E690E38691C5CE49A14F975459F97B; Granted Authorities: ROLE_USER'

Do you have any suggestions based on this information ?

kumar-chandan-kc commented 4 years ago

Hey, we are facing the exact same problem. Did you manage to get it working ? Please let us know. Thanks.

cpemaratech commented 4 years ago

Yeah . I should have closed this issue long back.

@kumar-chandan-kc - It's been a long time Memcached running smoothly in our Production. I recalled it was a place in the application which was creating new session. If you have not yet done try enabling SessionListener and SessionAttributeListener and see is session being created or destroyed by application unexpectedly ?