When using the ClusterSingleSignOn valve, it looks like the single sign on session state is not synchronized to cluster nodes when they start. The state is instead only replicated at the moment that an action is performed, so any nodes that come online after that action are out of sync. See mailing list discussion here: http://www.mail-archive.com/users@tomcat.apache.org/msg115472.html
Anyone working on this? If not I'll take a look. My initial thoughts are to make use of one of the ReplicatedMap implementations.
Not yet. I've just ClusterSingleSignOn implements ClusterValve.(r1645595) I am writing a document of ClusterSingleSignOn now. IMHO. If using the ReplicatedMap, it may be necessary to add jvmRoute to SSOID. If using SSO cache (ReplicatedMap) of backup node, it will be replicated to the other node. So, It may be necessary that the SSO Cookie is sticky. For example, setting the SSO Cookie name(JSESSIONIDSSO) to session_cookie of mod_jk. As a Result, all of the Web applications in the SSO can be used on the same node, I think to be able to suppress unnecessary replication.
The biggest problem I can see with ReplicatedMap at this point as that I don't want to / can't replicated the two Maps (cache and reverse) as currently implemented since that means replicating the entire session and a potentially non-serializable Principal. I'm looking into refactoring the SSO implementation to make this easier. Regarding adding jvmRoute to the SSO cookie, I see the point you are making and I agree with it. However, I think that point applies irrespective of this bug report and is probably best handled separately.
I have a patch but it is untested. I'm working on that now and hope to be able to commit something in the next 24 hours.
This is currently implemented in trunk (Tomcat 9). We need to discuss on the dev list which versions, if any, this can be back-ported to as there were a number of fairly invasive changes made to enable this to be implemented sensibly.
I've back-ported the fix to 8.0.x and it will be included in 8.0.x onwards. I'll wait for some feedback on that before back-porting it to 7.0.x.
*** Bug 28039 has been marked as a duplicate of this bug. ***
(In reply to Mark Thomas from comment #6) > I've back-ported the fix to 8.0.x and it will be included in 8.0.x onwards. > I'll wait for some feedback on that before back-porting it to 7.0.x. Just wondering...has there been any more thought to back-porting this fix to 7.0.x?
It has been long enough now without any issues being reported so I'll start work on the back-port.
Fixed in 7.0.x/trunk for 7.0.62 onwards.