Using the SSL for session tracking in your application

This is a new feature in the Servlet 3.0 specification. Because it uses the SSL session ID associated with the physical client-server connection there are some limitations. They are:

  • Tomcat must have a connector with the attribute isSecure set to true.
  • If SSL connections are managed by a proxy or a hardware accelerator they must populate the SSL request headers so that the SSL session ID is visible to Tomcat.
  • If Tomcat terminates the SSL connection, it will not be possible to use session replication as the SSL session IDs will be different on each node.

To enable SSL session tracking you need to use a context listener to set the tracking mode for the context to be just SSL (if any other tracking mode is enabled, it will be used in preference). It might look something like:

package org.apache.tomcat.example;

 

import java.util.EnumSet;

 

import javax.servlet.ServletContext;

import javax.servlet.ServletContextEvent;

import javax.servlet.ServletContextListener;

import javax.servlet.SessionTrackingMode;

 

public class SessionTrackingModeListener implements ServletContextListener {

 

@Override

public void contextDestroyed(ServletContextEvent event) {

// Do nothing

}

 

@Override

public void contextInitialized(ServletContextEvent event) {

ServletContext context = event.getServletContext();

EnumSet<SessionTrackingMode> modes =

EnumSet.of(SessionTrackingMode.SSL);

 

context.setSessionTrackingModes(modes);

}

 

}

SSL session tracking is implemented for the BIO and NIO connectors. It is not yet implemented for the APR connector.

Troubleshooting for SSL
Miscellaneous Tips and Bits

Get industry recognized certification – Contact us

keyboard_arrow_up
Open chat
Need help?
Hello 👋
Can we help you?