Tech Tip: How to properly handle sessions and cookies with multiple servers
So today’s video is about explaining the differences between sessions and cookies. The reason why I want to talk about this topic is to clarify common issues that I have seen with developers when it comes to implementing sessions and cookies. The purpose of sessions and cookies is to preserve some kind of short term data among multiple requests. A lot of times these could be tracking cookies or user tokens. Sessions is short term data that is stored on the server, and typically there is a session cookie that the user’s browser will have so that the server is able to associate the session data to the correct user. Cookies are short term data that is stored on the user’s browser, typically each cookie as an expiration time.
So when we are dealing with a web application that is running on one server, we are sure that we will have the correct session data for each user. However, when a web application is running on multiple servers, we are not sure if the session data will be correct. So to solve this issue, there are two different things that can be done. 1) We can design the web application to track the user so that they will always have access to their session data, or 2) We can design the web application to not use session data, but rely on browser cookies and store critical or sensitive data in the database.
So, let us take a deeper dive into Solution #1. So for this solution, we would need a way to either centuralize the session, or we need to make sure that a user’s request is only handled by the same web server. Usually this solution is to use a caching service, like Memcache or Redis to handle storing of session data, since you can have one caching server for multiple web servers. In this setup, no matter which web server handles the user session, the session will be stored in one centralized location. Or, another way to implement this solution is to have a load balancer assign sticky session cookies to the users. In this setup, the load balancer will look that the user’s cookie to see which web server was assigned to serve the user and forwards the request to that web server.
One of the drawbacks of implementing solution #1 is that when the application receives enough concurrent requests, the session caching services can get full and start envicting session data. Or if the application is using sticky session, then one server can have too many concurrent users and ends up crashing. However, even with this drawback, typically a way to mitigate this issue involves monitoring the traffic and added or removing servers as needed. A lot of times the load balancer will see that one server is overloaded and then forcefully re-assign users to other servers to help prevent any of the servers from crashing.
So, let us take a deeper dive into Solution #2. So for this solution, we would have to design the web application to not use sessions, but rely on browser cookies and the database. Solution #2 will look a lot like Solution #1, however the difference is how the application looks at the user’s data. It would need to determine how critical and sensitive the data in order to decide where the data should be stored. Critical and/or sensitive data would be stored in the database, while non critical and/or sensitive data would be stored in a browser cookie.
One of the many drawbacks with this solution is making sure that the correct user has access to only their own data in the database. Meaning that if an application allows anonymous user, then it may be a good idea not to store any critical and/or sensitive data unless there is some kind of authentication system that can be used to verify the user’s identity. Another potential drawback is traffic volume. If there is enough connection to the database, it can cause the database to crash, however a way to prevent this is to have multiple databases.
Neither solution is better than the other, because both solutions are just different faces on the same coin. Even I use both solutions when designing some web application that I know will have a large flow of traffic. That is because each solution has some edge that the other solution does not have, but they works the best when the application uses both solutions.
Understanding how the users will interact with the application is important, because from there, we can design the most optimized version of the application. However, it is also important to see how malicious users may try to find security holes and figure out ways to prevent those vulnerability from existing in the first place.
Смотрите видео Tech Tip: How to properly handle sessions and cookies with multiple servers онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь WebDev Dave 24 Март 2019, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 1,040 раз и оно понравилось 8 людям.