/elmr/session always returns a new session ID

[ddriddle]

@argherna please consider the following curl commands:

$ curl -b cookie.txt -c cookie.txt -I  http://127.0.0.1/elmrsample/attributes
HTTP/1.1 302 
Server: nginx/1.14.0
Date: Wed, 07 Nov 2018 01:33:49 GMT
Connection: keep-alive
Set-Cookie: __edu.illinois.techservices.elmr.serviceUrl=/elmrsample/attributes; Path=/
Location: http://127.0.0.1/auth/elmr/session

$ curl -b cookie.txt -c cookie.txt -I  http://127.0.0.1/auth/elmr/session
HTTP/1.1 302 302
Server: nginx/1.14.0
Date: Wed, 07 Nov 2018 01:34:13 GMT
Connection: keep-alive
Set-Cookie: __edu.illinois.techservices.elmr.servlets.sessionKey=LTcwNTEzNTYwNjYwNjE4MjExMQ==; Path=/
Location: http://127.0.0.1/elmrsample/attributes

$ curl -b cookie.txt -c cookie.txt -I  http://127.0.0.1/auth/elmr/session
HTTP/1.1 302 302
Server: nginx/1.14.0
Date: Wed, 07 Nov 2018 01:34:37 GMT
Connection: keep-alive
Set-Cookie: __edu.illinois.techservices.elmr.servlets.sessionKey=OTQ3MjA4MzcxMTk3MzYyNzY5; Path=/
Location: http://127.0.0.1/elmrsample/attributes

Note that sessionKey changes between the first call to /auth/elmr/session and the last call. This does not seem desirable to me. If the user's Shibboleth session has not changed then why should we change the session key ID? Also this could be a potential DoS attack. This would allow a single user to spam elmr with requests which would eventually blow out the Redis cache.

[argherna]

That's true. Perhaps a second key needs to be set, like the HTTP Session in Tomcat. Cookies are used to manage that; perhaps that's the way to do it.

[argherna]

This is tricky though. In thinking this through HTTP sessions would have to be able to scale horizontally, right? If that's the case, then we would need to install a session manager for Tomcat that allowed for that (like this one). It has issues, and would take some work to get moving. But it's an idea. I'd like to discuss our options though before we work on this too much more.

[ddriddle]

@argherna Yes, we must support horizontal scaling. @kwessel Instead of using a Tomcat session, could we use the Shibboleth session ID?

[argherna]

Another thought. Elmr is temporary for us. We will eventually use congnito with SAML. Could we take a shortcut here and make the session sticky? If so, we can develop a simple solution to this problem.

[argherna]

We can identify the user with the environment variable Shib_Session_ID. This uniquely identifies the user. So, elmr could set a pair with this identifier as the key and the generated session key as the value. Then the generated session key would be used to store the user session data as before.