21

I'm going to have 3 Tomcat servers and a Load Balancer that dispatches the requests without using 'sticky sessions'.

I want to share sessions' data between the servers and I'm thinking in persisting them in DB. I'd like to use memcached as a layer in front of my DB to serve the requests faster and to don't put my db under heavy load.

I'm thinking in providing my customized tomcat Manager that uses memcached before getting/persisting session data to DB as at the moment I don't see a transparent way of doing it (it means that I'll have to manage it again in the case I switch to another app server).

Is this a good solution or do you see a better approach?

Bozho
  • 588,226
  • 146
  • 1,060
  • 1,140
mickthompson
  • 5,442
  • 11
  • 47
  • 59
  • May be this can help https://github.com/rover886/tomcat-pysession-server – Amogh Jun 02 '18 at 09:55
  • @Amogh I think nowadays https://spring.io/projects/spring-session also offers a great transparent solution for this problem of 2010 :) – mickthompson Aug 07 '18 at 12:21

4 Answers4

18

Persisting sessions in the database limits your scalability. If scalability is not that important for you this (db + memcached) is a valid approach.

One thing you need to keep in mind when using nonsticky-sesions are concurrent requests: when you have e.g. ajax-requests (executed in parallel/concurrently) they will be served by different tomcats (due to non-stickyness) and therefore access the session concurrently. As long as you have concurrent requests that might modify the session you need to implement some kind of synchronization / session locking.

Perhaps this is of interest for you: I created the memcached-session-manager with the goal of both optimal performance and unlimited scalability. It can work with any memcached-compatible backend (e.g. also memcachedb, membase etc. or just memcached). Although it was originally created for a sticky-sessions approach, there's already a branch for nonsticky-sessions existing and a sample app showing how/that it works. Right now there's a thread on the mailing list on further improvements for nonsticky-sessions (handling of concurrent requests and preventing single-point-of-failure).

MartinGrotzke
  • 1,301
  • 8
  • 13
  • 2
    I just want to drop a note here that I just release memcached-session-manager with non-sticky sessions support (and support for tomcat7). The announcement with some details regarding non-sticky sessions: http://groups.google.com/group/memcached-session-manager/t/612891b0ae10649d – MartinGrotzke Jan 28 '11 at 07:36
  • very good point about ajax requests. Within same flow, there could be multiple request to server. – vsingh May 03 '15 at 02:56
  • @MartinGrotzke May be this can help https://github.com/rover886/tomcat-pysession-server – Amogh Jun 02 '18 at 09:56
7

Storing your session state outside of the app servers (Tomcat in your case), is a very common and recommended configuration for large scale websites. This is usually done in pursuit of an architecture style called Shared Nothing.

You can store your state in several different places: db, memcached, commercial replicated cache, etc. They all work with different mixtures of trade offs. Personally, I've had great success with memcached. Memcached is extremely fast and stable.

Generally, I opt for simplicity and use N memcache servers where N>1, say 2. As users log in, the app servers flip a coin to decide which server stores the users state. The cookie sent to the browser includes information to know which memcache server to route to from then on. Subsequent requests from the browser fetch state from the appropriate memcache server on each request. Should a memcache server fail, the user will have to login again as the app servers reselect a new server, but that is extremely rare.

lmonson
  • 101
  • 4
0

We do a similar thing in our application (Weblogic, but that doesn't matter), where we have a unique session key stored as a cookie in the browser. That key will then be used at each request to restore the relevant session data from the database.

Using this principle, we can always switch over to another server using the load balancer without the user noticing anything. In addition to that, we hardly store anything relevant in the user's session and work with a lot of hidden fields in the browser (the load balancer supports URL encryption and form-value protection, so we're on the safe side...).

Lukas Eder
  • 211,314
  • 129
  • 689
  • 1,509
  • @Lucas Eder we have similar setup, the difference is we use Memcached for session store. – Nishant Dec 30 '10 at 11:41
  • For some applications it "Doesn't matter" (ie session data may not be considered sensitive as far as the authenticated user is concerned), but in principle shipping "session" data back and forth - whether as "hidden" fields (of course no fields on an HTML page are truly hidden from the user) or as cookies, which are made for this purpose - is poor practice. Unless the client side of the app needs this data, it should not be exposed to the browser. – erik258 Nov 08 '13 at 20:23
  • 1
    @DanFarrell: The hidden fields weren't sensitive data, and form-value protection kept it from being tweaked. So I don't see how it would be poor practice, security-wise. There was a lot of data transfer overhead, of course... – Lukas Eder Nov 08 '13 at 23:19
0

I think Terracotta Web Sessions is what you want.

reevesy
  • 3,452
  • 1
  • 26
  • 23
Bozho
  • 588,226
  • 146
  • 1,060
  • 1,140