IIS Lucee: share session between multi sites

Hello everyone,

We are experimenting with migrating our old and large CF project from Adobe CF to Lucee.
Our current setup runs on Windows with IIS as the web server connected by AJP (wsconfig.exe) .

We tried to replicate the same with IIS and Lucee/Tomcat using BonCode and mod_cfml by selecting to configure all (IIS) sites during the Lucee installation. After some extra config we were able to view the sites.

The Problem:

Our site has a several subdomains which are configured as separate IIS Sites. With ACF once the user is logged in they stay logged in when navigating between the sub domains.

On Lucee we lose the Session when navigating away to another domain. I realized mod_cfml’s Valve
creates new Tomcat contexts per site in runtime and our subdomains are run as independent websites hence there’s no shared session information between them.

IIS-site1 → myapp/src/site1/ (has its own Application.cfm)
IIS-site1 → myapp/src/site2/ (has its own Application.cfm)
IIS-site3 → myapp/src/site3/ (has its own Application.cfm)

My question is can we make the sites share the session? (I guess no)

Thanks a lot.

Don’t forget to tell us about your stack!

OS: Windows
Java Version: 11.0.15
Tomcat Version: 9.0.45
Lucee Version: 5.3.9.141

if you are using the same application name, you could try using redis, db, etc for session storage, that way each separate lucee site (web context), shares the same backend session storage

Thanks for your reply. “Currently” we are resisting the idea of external session storage:)

We discovered we can make sessions shared by not using the Boncode/mod_cfml but configuring IIS as a proxy/reverse proxy roughly described like below.

We copied the app under the Lucee webapps:

lucee/tomcat/webapps/myapp

We configured IIS to act like proxy and created some rewrite rules on individual sites such that we point requests to corresponding document roots in Lucee.

site1.comhttp://localhost:8888/myapp/site1/
site2.comhttp://localhost:8888/myapp/site2

We saw sessions were working in between the apps!

But this time we are hitting a case insensitivity problem with the static content we’re serving which we think is caused by some setting in Tomcat:

Assume we have a style file in a folder in site1 like site1/Css/styles.css (capital C)

http://localhost:8888/myapp/site1/css/styles.css → 404 Not Found
http://localhost:8888/myapp/site1/Css/styles.css → 200 OK

In case of cfm files it seems case is insensitive:

http://localhost:8888/myapp/site1/Css/test.cfm → 200 OK
http://localhost:8888/myapp/site1/css/test.cfm → 200 OK
http://localhost:8888/myapp/site1/css/TEST.cfm → 200 OK

In the Boncode/mod_cfm scenario both Css and css works and we are now trying to understand what is causing this case in-sensitiveness “support” in that scenario.

Thank you.

Boncode has an HTTP header (well, not Boncode, but the Tomcat valve really) that allows you to override the unique context ID. That said, the web context really should have no bearing on the session sharing, so long as

  • the application name is the same
  • the session cookie is shared between sites
  • An external cache or DB is configured in all sites to store session (I think this bullet is only required if the sites are on different servers)

You can have as many web contexts as you like, even on different servers and they can all share sessions. It is sort of odd though that you have 3 different sites in different web roots and you want them to have the same session. That’s not really a common scenario.

And actually, the more I think of it, Lucee REQUIRES that each unique web root have a separate web context, that’s just how it works. Each web context has a single folder on disk that is the web root that your files are being served from. If you have 3 separate web roots, that’s 3 web contexts in Lucee!

What you’ve done with your proxy really could be accomplished with Boncode in place if you simply ran everything through the same IIS site and use rewrite rules to modify the URLs. But that still feels like a square peg in a round hole. I would let them be 3 separate sites/contexts and work on testing with the same Application name and session cookies.

Oh, BTW I didn’t say the name of the header because I really didn’t think it was your proper fix, but in case anyone saw my message above and is wondering, it’s

X-Webserver-Context

If you set that HTTP header in your web server, it will override the unique key that the Tomcat valve uses to decide what web context to use/create. Apache’s mod_cfml defaults to the host name and Boncode/IIS defaults to the IIS site ID. In order for the OP to use this however, they’d need 3 sites in IIS, all using the SAME web root and all setting the same X-Webserver-Context value which would cause the Tomcat valve to see them all as the same site. That’s sort of silly though since you may as well just use one IIS site if you really want them to all have the same web root!

Hi @bdw429s,

Thanks for the detailed reply. Wanted to give an update.

I tried to exploit the X-Server-Web-Context HTTP header (I patched mod_cfml to do that for us!) you’ve mentioned but since we want to have different DocRoots for the corresponding sites it did not provide a solution but thanks for the idea :slight_smile: (Unless we make a big lifting and shifting of code to make them use the single DocRoot the idea won’t work )

Why this setup?
Historically we have these different sites corresponding to different subdomains of our site which share a single Session on ACF without any problem.
site1.myapp.com → IIS site1
site2.myapp.com → IIS site2
and so on.

To be clear, it’s a feature, not a hack :slight_smile:

That’s odd, I’m pretty sure it already does that by default, so I’m not sure what you changed.

Yep, I mentioned that above :wink:

Have you researched the stuff we told you to look into? i.e. using the same application name with an external cache. You could also put in a ticket for Lucee to consider somehow allowing this, but honestly this behavior is more of a “happy accident” that Adobe CF supported and not anything documented or officially part of CFML IMO.

Hello again,

Finally had time to give an update.
Managed to achieve session sharing between multi sites using Tomcat’s Rewrite Rules. I defined the IIS sites in a Host with aliases in the server.xml file.

...
<Host name="site1.myapp.com" appBase="webapps">
   <Context path="/" docBase="C:/dev/myapp/src" >
    <Valve className="org.apache.catalina.valves.rewrite.RewriteValve" />
  </Context>
  <Alias>site2.myapp.com</Alias>
  <Alias>site3.myapp.com</Alias>
</Host>
...

I created a rewrite.config file under C:/dev/myapp/src/WEB-INF with the following rules. To recall, individual sites have their code bases under sub folders like C:/dev/myapp/src/siteN.myapp.com.

RewriteCond %{HTTP_HOST} site1.myapp.com
RewriteRule ^/(.*)$ /site1.myapp.com/$1  [L]

RewriteCond %{HTTP_HOST} site2.myapp.com
RewriteRule ^/(.*)$ /site2.myapp.com/$1  [L]

RewriteCond %{HTTP_HOST} site3.myapp.com
RewriteRule ^/(.*)$ /site3.myapp.com/$1  [L]

With this setup we are able to share the Session between our sites. Initial tests are OK as the user is not displayed a login page every now an then.

We are effectively by-passing mod_cfml here so I wonder if you guys find this solution reasonable or hacky. It seems with this method we’ll continue our Lucee migration with this obstacle behind us and most probably come back with some more questions!
Thanks to @bdw429s and @Zackster for suggestions.

1 Like