So I have found my own answer, basically if the request is made using Cookie: JSESSIONID=.<node name> The curious part is that when a request is made and the proper node responds the session Id keeps being ".<node name>". I would expect the cookie to be rewritten by the server but it never does. This makes me think about an attack possibility. If a hacker somehow manage to redirect a user with that session Id to a cluster environment he could potentially access user sensitive data because in fact he knows the user session? I have done even tests from two different IPs and my program kept the session with the two requests using the same ".node3C1" session Id: [Fri Oct 26 10:22:04 2007] [30497:26304] [debug] ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for worker node3C1 [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] wc_maintain::jk_worker.c (318): Maintaining worker node1C1 [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] service::jk_lb_worker.c (735): service sticky_session=1 id='.node3C1' [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] get_most_suitable_worker::jk_lb_worker.c (634): searching worker for partial sessionid .node3C1 [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] get_most_suitable_worker::jk_lb_worker.c (642): searching worker for session route node3C1 [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] get_most_suitable_worker::jk_lb_worker.c (655): found worker node3C1 (node3C1) for route node3C1 and partial sessionid .node3C1 [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] service::jk_lb_worker.c (755): service worker=node3C1 jvm_route=node3C1 [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] ajp_service::jk_ajp_common.c (1734): processing node3C1 with 2 retries [Fri Oct 26 10:22:35 2007] [30495:26304] [debug] ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for worker node3C1 [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] wc_maintain::jk_worker.c (318): Maintaining worker node1C1 [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] service::jk_lb_worker.c (735): service sticky_session=1 id='.node3C1' [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] get_most_suitable_worker::jk_lb_worker.c (634): searching worker for partial sessionid .node3C1 [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] get_most_suitable_worker::jk_lb_worker.c (642): searching worker for session route node3C1 [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] get_most_suitable_worker::jk_lb_worker.c (655): found worker node3C1 (node3C1) for route node3C1 and partial sessionid .node3C1 [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] service::jk_lb_worker.c (755): service worker=node3C1 jvm_route=node3C1 [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] ajp_service::jk_ajp_common.c (1734): processing node3C1 with 2 retries [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] ajp_connection_tcp_send_message::jk_ajp_common.c (892): 00f0 30 00 06 00 07 6E 6F 64 65 33 43 31 00 FF 00 00 - 0....node3C1.... [Fri Oct 26 10:23:15 2007] [30496:26304] [debug] ajp_done::jk_ajp_common.c (2194): recycling connection pool slot=0 for worker node3C1 Any ideas about how to make the server force the creation of a brand new random session id after receiving any request using a non existing session id? Thanks!, -Nestor On 10/15/07, Nestor Urquiza <nestor.urquiza at gmail.com> wrote: > Hello guys, > > Just new to JBoss World so if this is not the right list please be > kind and advise where should I post the question. > > Currently we have a cluster formed of three nodes, each of them in > separate machines. I want to be able to target a specific node from my > HTTP request. Is there any HTTP Header/GET/POST param that would allow > me to make one node respond to my request? > > Thanks in advance, > > -Nestor >