Affects Version/s: None
Fix Version/s: None
I tracked this down to cookies do not typically set the port. So per RFC can be sent to a different server as long as the host name is the same.
Setting the port in the cookie may cause other issues with browsers (and how does this play with firewalls and proxies)
One simple solution is to make the cookie name configurable. If we ever switch to shiro-guice (which will remove a bunch of other code) we could easily inject/configure the cookie name.
Or if we are going to keep our boiler plate code, we could configure the cookie name in org.sonatype.nexus.security.NexusWebRealmSecurityManager.init() to call webSessionManager.setSessionIdCookie(...)
I started two nexus pro instances locally.
Established a Smart Proxy trust between A and B.
Created apache-snapshots-proxy repo on Nexus B proxied to Nexus A http://localhost:8081/nexus/content/repositories/apache-snapshots
Besides logging into the UI only a few times I noticed the following after a short while in the Nexus B logs:
jvm 1 | 2012-01-19 15:45:22 INFO [Thread-25 ] - org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Validating all active sessions...
jvm 1 | 2012-01-19 15:45:22 INFO [Thread-25 ] - org.apache.shiro.session.mgt.AbstractValidatingSessionManager - Finished session validation.  sessions were stopped.
Nexus A seemed to have 169 sessions cleaned up.
How is it that 274 sessions were created? Are these being created by smart proxy?