In load balancing server environment is it possible to maintain the session state in httpcontext or request cookie.
Does it cause any performance issue or security issue?
Assuming your cookie is encrypted it shouldn't be a security issue, but if you have a lot of session it will cause a lot of extra traffic. I think you need to be more clear about what part of httpcontext you would store the session state in.
Context is usually request driven (so doesn't persist).
You can save things to cookie but they're insecure unless you go about signing your cookies. But this (naturally) has a performance hit.
The most logical method is to move your session store to a shared platform. I don't know what you're using but later versions of IIS have methods for sharing the session and if you're using something like Django, you can host the session on something like Memcached.
Most platforms also have the option of storing the session in the database. This is okay if your DB is fast and well balanced.
A distributed, dedicated session server is by far the best solution if all your machines are in the same datacentre though.
If you really want to have the same session in a server farm, use out of proc distributed session state provider i.e. ASP Net Session or even better, memcached, SOSS State Server, and many others.
Related
From my point of view, session violates RESTfulness either when it is stored in the memory or db.
In case of session stored in the memory, it is hard to scale up the server using like load-balancing since servers don't share the session data.
Likewise in case of session stored in database, the database will be over-loaded when many servers simultaneously make queries.
My issue is related with the second case.
For a long time, I had thought that the server and database are different.
My past-assumption)
When client make request to the server with specific data, then server stores that data in the database like mysql or mongo etc.
So server don't have to care about the client's state since database has all control over them.
Server can stand alone against the client's request since server can make query to the database whenever wants to know who the client is.
So my two questions are that,
Whenever mentioning that "RESTful server stand alone against the client's request", is that 'server' includes database?
If yes, and if there is a User model and a Post-model associated with one-to-many relation, isn't that also violates RESTfulness?
I am sure that the second question makes no sense, since if the second question's answer is true, then RESTapi would have never been that useful.
But I cannot understand the difference between session in the database violates RESTfulness and the User-Post does not violate Restfulness.
I think that both of them are following the same procedure, client-server-database.
How can I understand this issue easily?
What's generally meant with statelessness is, summed up that : all the information to execute the HTTP request is self-contained within the request.
Some implications are that:
I can disconnect the TCP socket and re-open it, or I can keep a TCP connection open and it makes no difference. All the information to execute the request is contained within the request.
In the case of idempotent methods, I can re-do the exact same request and end up with the same state as if I only did it once.
In other words,
There are more complete descriptions of statelessness and HTTP, but the important thing is that statelessness here does NOT mean that the server cannot have any state at all. Most REST services are probably useless if there is no state.
Now to the question of whether having a session violates REST principals. I think it's hard to objectively state this either way. The important parts in relation to your question is that to be RESTful you need a concept of resources, a concept of being able to address them and a concept of transferring state between client and server. (there are more things that make up a REST service, but here are a few relevant bits).
I don't think having a means of authentication prevents this, whether authentication is done via an Authorization header or a Cookie header is not really that relevant.
If the session cookies and associated session data starts interfering with this process in other ways, it might be possible for a session-related feature to violate REST principals, but I don't think this is generally true.
If there are 'many articles' saying that sessions violate REST, I don't think there is any real basis for this. There is a lot of garbage descriptions of REST going around. I do think it might be bad for other reasons to use cookies for authentication. It does create potential for security issues.
Restful server is separate from the database.
Restful server, if there is such a thing, is just a web server.
REST is just an architecture, say a methodology, that delivers information from server to client and vice versa over HTTP.
I'm creating a web application (in C++, for performance) where I'm expecting to process a tremendous amount of events per second; like thousands.
I've been reading about invalidating JWT tokens in my web sessions, and the most reasonable solution for that is to have a storage place for blacklisted tokens. The list has to be checked for every request, and what I'm wondering is performance related: Should I create a separate system for storing my blacklisted tokens (like redis)? Or should I just use the same PostgreSQL database I'm using for everything else? What are the advantages of using another system?
The reason I'm asking is that I saw many discussions about invalidating JWT tokens online, and many suggest to use redis (and don't explain whether it's just a solution relevant to their design or whether it's a replacement to their SQL database server for some reason). Well, why not use the same database you're using for your web application? Is there a reason that makes redis better for this?
Redis is a lot faster since its stored on memory of the server rather than opening a connection to the DB, querying and returning the results. So if speed is of importance then Redis is what you would want.
The only negative is if the server restarts the blacklisted tokens are gone. Unless you save them on disk somewhere.
I understand that rest ws is stateless. And we are expecting pretty high traffic. Is it a good idea to set session timeout (we are using tomcat) really low? Like one minute? pros and cons?
If you are expecting high traffic, session management will bring overhead to your application and with a one minute timeout your server will consume time invalidating lots of sessions.
If your application is indeed stateless then don't use sessions. You can't fully disable them either but if you don't do getSession() then you should be fine.
If you (absolutely) want to be sure no code is creating sessions, you could have a look at Tomcat's session manager component and maybe create your own implementation that tells you what's happening when you subject your server to some stress tests.
I have an ASP.Net MVC application which makes significant use of session to save state (including large data collections). At present, it is hosted on a single web server. The session is set to the default of InProc.
An issue arises whereby the application freezes for some users when many users are on line. I guess that this is because InProc session does not scale too well, and that there is only so much memory available to the process. (What happens if memory demand exceeds the available memory - does it swap out to disk?)
I have a couple of solutions in mind that would help with scalability. (a) Sql server session state; (b) Configure session state to use AppFabric caching. The first option looks like a good solution, except that it will affect performance and require stored items to be serializable.
What about configuring session state to use AppFabric caching (aka Velocity) in an environment where the single web server is also used as the cache host? How does this differ from InProc in this single-server environment? Will this provide more scalability and available memory than InProc, or will it essentially amount to the same constraints?
You would be better off implementing AppFabric Cache for your scenario. As your system grows, you can increase the number of cache servers with each new web node - something you cannot easily do with SQL Server without additional cost. SQL Server licensing also costs much more than AppFabric - which is bundled with a Windows Server license.
The only benefit SQL Server will provide is recoverability, but for what you need, it's probably overkill.
See related SO post discussing AppFabric Cache vs. SQL Server for session.
As for AppFabric Cache vs. InProc...
You could put your AppFabric Cache on another server if you are running into memory limitations. You can't do this with InProc.
Here are some other miscellaneous benefits of the AppFabric Cache:
Supports Local Cache to speedup retrieval costs involved in serializing/deserializing.
Provides finer grained controls with respect to cache eviction and expiration policies.
Supports compression of session contents to reduce network bandwidth.
Blob mode versus single item retrieval to improve data retrieval for large objects.
Same session state store can be used across multiple applications (via sharedId).
The most important thing is that the session will survive an app-pool recycle and even a redeploy of the application.
Also AppFabric can serialize IXmlSerializable objects as well as [Serializable]. If you try to use the out-of-proc ASP.NET session service you ironically cannot serialize IXmlSerializable objects such as XElement. You can also do completely customized serialization if you want. With AppFabric your app is much more 'azure' ready if you ever move that way.
Then of course you can use it for caching other data if you have a need for that.
I have a perl web application (CGI::Application with ModPerl::Registry) which connects to a authenticated custom server over a socket and exchanges data (command/response) with it. Currently the web application connects to the server, authenticates and disconnects on every page request - even for the same user.
Is there some way I can use the same socket over multiple page requests which share a common session id? Creating a separate daemon that proxies connections and makes them persistent is an option I am exploring, but would like to know if there are any simpler solutions.
I have no control over the design of the custom server unfortunately.
Looks like the same question was asked on PerlMonks. The responses there point in the right direction, but the issue seems to be that you want one cached connection per session, not one cached connection per session per httpd thread/process. You might have to resort to a separate proxy process to get the behaviour you want.