Uploaded image for project: 'Product Roadmaps'
  1. Product Roadmaps
  2. MMF-305

Server stateless web sessions

    XMLWordPrintable

    Details

    • Type: MMF
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Labels:

      Description

      Web sessions are currently stored on server by Tomcat. They are loaded when a JSESSIONID cookie is sent within a HTTP request. Scaling this stateful server approach is complex as the sessions must be replicated over instances of Tomcat cluster. It can also require to configure IP affinity or sticky sessions in load balancer.
      The right solution is to move to a stateless server paradigm. Basically :

      • server generates a session token the first time a user sends a request. The token is signed with a secret.
      • the token is kept by client (cookie or local cache, to be defined) and sent within all requests (cookie or HTTP header, to be defined).
      • when receiving a request, server verifies that the token was signed by itself. It it matches, then it can trust the data contained into the token (basically the login and name).

      JWT (https://jwt.io/) is the standard today to implement such approach.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              christophe.levis Christophe Levis
              Reporter:
              simon.brandhof Simon Brandhof (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: