17

I'm a bit confused about the use of the session stickiness on Amazon Web Services. When I deploy my java web application using Amazon Elastic Beanstalk, I can choose to enable the session stickiness and then specify a cookie expiration period.

My application uses cookies for the session (JSESSIONID) as well as for other small things. Most of the website is accessible only after logging in (I use Spring security to manage it). The website will run on up to 25 small EC2 instances.

Should I enable the session stickiness? If I don't enable it, does it mean that I could be suddendly logged out because the load balancer took me to another server (not the server that authenticated me)? If I enable the session stickiness, do I get logged out when the server that authenticated me gets shut down? Basically, why and when should I use session stickiness?

Thank you very much.

satoshi
  • 3,963
  • 6
  • 46
  • 57

2 Answers2

22

If I don't enable it, does it mean that I could be suddendly logged out because the load balancer took me to another server (not the server that authenticated me)?

Yes

If I enable the session stickiness, do I get logged out when the server that authenticated me gets shut down?

Yes

When using Elastic Beanstalk with a typical Java webapp, I think you will definitely want to enable session stickiness. Otherwise each HTTP request from a user's browser could be routed to a different server.

To get around the issue of the user's session being destroyed when the server they are "stuck" to gets shut down you would need to look into Tomcat session replication. This isn't something that Elastic Beanstalk comes with out of the box unfortunately, so in order to setup session replication you would have to create a custom Elastic Beanstalk AMI for your application to use. Also, you would have to use an implementation of Tomcat session replication that does not rely on multicast, since multicast isn't available on AWS, or any other cloud environment that I know of. An example of an implementation that doesn't rely on multicast would be one that uses a database (such as Amazon RDS) or memcached server (such as Amazon Elastic Cache) to make the sessions available across multiple Tomcat instances.

Also note that the Elastic Beanstalk UI only allows you to enable load balancer-generated HTTP cookies. However after Elastic Beanstalk has created the load balancer, you can go into the EC2 console and modify the load balancer's settings to switch it to application-generated HTTP cookies, and then tell it to use the "JSESSIONID" cookie.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Thank you very much for your exhaustive response, @mbaird. I've configured the session replication in Tomcat using a MySQL DB. I followed this guide: http://www.intelligrape.com/blog/2010/07/21/tomcat-6-session-persistence-through-jdbcstore/. It works fine when there is one single EC2 instance. When there are two (or more) it goes in a redirect loop when logging in. It 302 redirects to the home page again and again. Every time it gets redirected, the server sets a cookie with a different JSESSIONID. Have you got any idea why it is happening? Thank you! – satoshi May 08 '12 at 22:53
  • 3
    Configuring `memcached-session-manager` to work with Amazon ElastiCache solved the problem.. Thanks! – satoshi May 20 '12 at 19:07
1

You can also use DynamoDB for tomcat session sharing: http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/java-dg-tomcat-session-manager.html

Juan Carrey
  • 696
  • 1
  • 6
  • 13