In my previous post I presented the basics of sharing sessions in a cluster by storing session data in a client-side cookie. In part 2, I'll talk about the security aspects of this client-side cookie store, i.e. how to protect it from security threats.
To prevent attacks specific to client-side sessions, I'll add encryption, signing, and session timeout to the code. In addition, I'll talk about solutions to protect against security threats common to any web application, such as Session Hijacking, Session Replay, and Cross-Site Scripting. The result will be an implementation of the Session-In-Cookie pattern that allows simple and secure session-sharing in a cluster.
In a recent project we needed to deploy application changes to a Tomcat cluster without outage to the end user. To accomplish this the Tomcat sessions needed to be shared across the nodes. We opted to implement a variant of the Session-In-Cookie pattern popular in the Rails framework, a simple solution to session sharing. This blog shows how to implement this Session-In-Cookie pattern in Java.