Web sessions are currently stored on server by Tomcat. They are loaded when a JSESSIONID cookie is sent within a HTTP request. Scaling this stateful server approach is complex as the sessions must be replicated over instances of Tomcat cluster. It can also require to configure IP affinity or sticky sessions in load balancer.
The right solution is to move to a stateless server paradigm. Basically :
- server generates a session token the first time a user sends a request. The token is signed with a secret.
- the token is kept by client (cookie or local cache, to be defined) and sent within all requests (cookie or HTTP header, to be defined).
- when receiving a request, server verifies that the token was signed by itself. It it matches, then it can trust the data contained into the token (basically the login and name).
JWT (https://jwt.io/) is the standard today to implement such approach.