Session Management in microservices

java session cookies weblogic microservices
Fahim Farook picture Fahim Farook · Sep 23, 2015 · Viewed 26.3k times · Source

We have the following setup.

  1. STM (Stingrey Traffic Manager) does load balancing + session stickiness
  2. Weblogic 'cluster'
  3. Auth handled by a third party tool

Therefore I do not have to worry about session with regards to horizontal scaling/ running multiple instances of the application. STM/ Weblogic cluster makes sure that the subsequent request come to same managed server.

What we currently have is a monolithic application and we are trying to move to microservices. Also we do not wan't to move out of current infrastructure (i.e. STM/ Weblogic cluster/ Auth tool). What we have planned is:

  1. A Gateway WAR which routes requests to other microservices
  2. N x Microservices (WAR) for each functional sub-domain
  3. Only the API Gateway receives user requests and other microservices are not accessible from outside

So my question is

  1. Should API Gateway be state-full while other microsevices are stateless?
  2. If so, how should the user session data be shared between API Gateway and microservices?

Please suggest any better alternatives and resources/links as well. Thanks.

Answer

Mark Bramnik picture Mark Bramnik · Sep 23, 2015

Let me share my opinion.

First of all, if you can keep your application stateless, by all means do so :) It will be the best solution in terms of both performance and scalability.

Now, if its impossible, then you should maintain some distributed session management layer.

The gateway responsible for authentication could generate some unique session identifier which could later be used as a key. This key could be propagated to all the microservices and be a part of the API or something.

In order to access the session, the microservice could 'get' value by key and work with it.

In terms of implementation: I would take a look on NoSQL solutions. Some of them that can suit your need are:

  1. Redis. Take a look on ''hset'' there
  2. Hazelcast. Its more a in-memory grid but if the solution is java only, you can also implement the required functionality
  3. Memcache.d. It will give you an old good map, just distributed :)

There are also other solutions I believe.

Now, the performance is crucial here, otherwise the whole solution will be just too slow. So In my understanding, using an RDBMS would be not be good here, moreover potentially it would be harder to scale it out.

Hope this helps

Related questions

Session/cookie management in Apache JMeter

We have a simple performance test flow in an application. We login Search based on some criteria repeat searches for different parameters. We are using Jmeter to do a performance testing. We need to have multiple threads running to test …

Read More
Best option for Session management in Java

Best way managing session in Java. I heard that cookies are not reliable option for this as they gets stored into browser and can be accessed later on? Is this correct? If possible please come up with the answers with …

Read More
How to Handle the Session in HttpClient 4.1

I am using the HttpClient 4.1.1 to test my server's REST API. I can manage to login seem to work fine but when I try to do anything else I am failing. Most likely I have a problem setting the cookie …

Read More