This is a new feature in the Servlet 3.0 specification. Because it uses the SSL session ID associated with the physical client-server connection there are some limitations. They are:
- Tomcat must have a connector with the attribute isSecure set to true.
- If SSL connections are managed by a proxy or a hardware accelerator they must populate the SSL request headers so that the SSL session ID is visible to Tomcat.
- If Tomcat terminates the SSL connection, it will not be possible to use session replication as the SSL session IDs will be different on each node.
To enable SSL session tracking you need to use a context listener to set the tracking mode for the context to be just SSL (if any other tracking mode is enabled, it will be used in preference). It might look something like:
package org.apache.tomcat.example;
import java.util.EnumSet;
import javax.servlet.ServletContext;
import javax.servlet.ServletContextEvent;
import javax.servlet.ServletContextListener;
import javax.servlet.SessionTrackingMode;
public class SessionTrackingModeListener implements ServletContextListener {
@Override
public void contextDestroyed(ServletContextEvent event) {
// Do nothing
}
@Override
public void contextInitialized(ServletContextEvent event) {
ServletContext context = event.getServletContext();
EnumSet<SessionTrackingMode> modes =
EnumSet.of(SessionTrackingMode.SSL);
context.setSessionTrackingModes(modes);
}
}
SSL session tracking is implemented for the BIO and NIO connectors. It is not yet implemented for the APR connector.