Clustered JEE sessions with redisson

jvc · April 6, 2022, 12:13pm

Hi All

We have a large number of lucee applications that are load balanced and are trying to move away from LB persistence by centralising J2EE sessions using redisson. After a couple of attempts at this I have got the session IDs into redis (via Manager className=“org.redisson.tomcat.RedissonSessionManager” ) but redisson can not read or write session data because of

Caused by: org.redisson.client.RedisException: Unexpected exception while processing command
  ... 46 more
 Caused by: java.io.IOException: java.lang.ClassNotFoundException: lucee.runtime.type.scope.JSession
  at org.redisson.codec.SerializationCodec$1.decode(SerializationCodec.java:65)

Has anyone else tried this?

Lyle_Karstensen · April 11, 2022, 3:01am

Created my own shared sessions that use the onSessionStart create my own sessionid and then use mongodb.

sbleon · April 11, 2022, 3:15pm

We’ve tried this, but without much success. I’m looking forward to hearing about any successful approaches that y’all have taken.

markdrew · April 11, 2022, 3:41pm

You can do this in Lucee pretty easily.
in the application.cfc you can set

component {
...
this.sessionstorage="NameOfACache"
this.sessioncluster=true

And if i recall that is about it. All you need to do is now create a cache in the Lucee Admin pointing to whatever storage you want and session enable it.:

(notice ticking the Storage tickbox)
If you need other cache providers you can check here:
https://download.lucee.org/

or of course, other vendors that provide caches.

Hope that helps!

jvc · April 12, 2022, 4:42pm

I thought that was for cfml sessions only. Is that not the case? We are using JEE sessions because cfml sessions raise issues in pentests.

markdrew · April 12, 2022, 4:58pm

Ahh true. Not sure what issues they raise? But regardless, I have had (historically) issues with serializing sessions in servlet containers. Hence using CFML sessions.

jvc · April 13, 2022, 2:06pm

Yup. Sounds a familiar problem on Lucee: if you want clustered sessions they have to be cfml. Not complaining, of course! Just how it as at the moment. Redisson is a general Tomcat solution but it seems to not work with Lucee. Is a context/class loader issue I cant resolve.

jvc · April 13, 2022, 2:14pm

@Lyle_Karstensen

Created my own shared sessions that use the onSessionStart create my own sessionid and then use mongodb.

Do you have any info on that? Did you add your own cookie? Did you also have the cfml session cookies enabled or JEE? What did you do with the old cookies, just expire them? When the request hit server 2 and server 2 decided “i dont know what this session is, I will start a new one” how did you access the existing unrecognised session id? Any more deets very welcome

jvc · April 13, 2022, 5:01pm

@Lyle_Karstensen

Ok I have something working POC. Is not great as the JSESSION is basically ignored, so lucee starts a new one every time, but I have session data centralised and being shared across servers.

Any info you can share about your implementation would be great but thanks for the tip I may have to fall back to this if a redisson guru doesn’t show me the light

Zackster · April 13, 2022, 9:48pm

which exact Lucee version? there were some jsession fixes in 5.3.9 relating to onSessionEnd

markdrew · April 15, 2022, 1:27pm

I dont think so , a number other session providers seems to have this issue. If it is solvable I would love to know too! I battled a lot a while back with this and there was a whole thread about using different serialziers (like JSON serializers) but of course this would mean a bit of a re-write.