Difference and connection between cookie and session
Cookies are used by the local client to store a small amount of data information, saved in the client, the user can easily access, security is not high, the amount of data stored is small
session is used by the server to store part of the data information, saved on the server, the user is not easy to access, high security, the amount of data stored is relatively large, stored on the server, it will take up some server resources, but for its advantages, this shortcoming can be ignored!
What is session used for?
In a session between the client and the server, the client (browser) sends a request to the server, first of all, the cookie will automatically carry the data stored in the last request (JSESSIONID) to the server, the server according to the JSESSIONID in the request parameter to the server session library to query whether there is this JSESSIONID information If it exists, then the server knows who the user is, if it does not exist, it creates a JSESSIONID and returns it to the client at the end of the request, and saves it in the client's cookie.
Clients and servers communicate via the http protocol, but the http protocol is stateless, there is no correlation between different request sessions, but the advantage is that the processing speed is fast.
session is a session of interaction between the browser and the server, when the browser is closed, the session is over, but the session is still there, the default session is still retained for 30 minutes
Distributed session consistency
The client sends a request, after load balancing the request will be assigned to one of the servers, due to the different servers contain different web servers (e.g. Tomcat), different web servers can not be found before the web server to save the session information, it will generate a JSESSIONID again, the previous state will be lost!
Option 1: Client-side storage
Storing information directly in a cookie A cookie is a small piece of data stored on the client, which interacts with the server via the http protocol and is usually used to store some insensitive information.
drawbacks
Data is stored on the client side, which is a security risk
Limitations on cookie storage size and type
Data is stored in cookies, if a request cookie is too large, it will add more overhead to the network
Option 2: session replication
session replication is a small business applications use more of a server cluster session management mechanism, in the real development use is not a lot, through the web server (such as Tomcat) to build a cluster.
Problems
The principle of session synchronization is to synchronize sessions asynchronously by sending broadcasts on the same LAN, once more servers, concurrency up, the session needs to be synchronized with a larger amount of data, you need to synchronize all the sessions on other servers to this server, which will bring about a certain amount of network overhead, and in the case of a particularly large number of users, it will appear that the Insufficient memory
Pros:
Session information between servers is synchronized, any server downtime will not affect the status of the session in the other server, configuration is relatively simple
Tomcat already supports distributed architecture development and management mechanism, you can modify the configuration of tomcat to support session replication, synchronize session objects between several servers in the cluster, so that each server has saved the session information of all users, so that any local downtime will not lead to the loss of session data, and the server to use the session, you only need to get it locally. When the server uses the session, it only needs to get it locally.
How to Configure:
In the Tomcat installation directory in the config directory in the file, open the comment, tomcat must be in the same gateway, otherwise not receive the broadcast, synchronization session can not be
Turn on session replication in: <distributable/>
Option 3: session binding:
Introduction to Nginx:
Nginx is a free, open source, high-performance http server and reverse proxy server
What Nginx can do:
Reverse proxy, load balancing, http server (dynamic proxy), forward proxy
How to use nginx for session binding
We utilize reverse proxy and load balancing of nginx, before, the client will be assigned to one of the servers for processing, the specific server assigned to which server for processing also depends on the server's load balancing algorithm (polling, random, ip-hash, weight, etc.), but we can be based on the ip-hash policy of nginx, you can bind the client and the server, the same client can only access the server, no matter how many times the client sends a request, it will be processed by the same server. The same client can only access the server, no matter how many times the client sends a request, it will be processed by the same server.
Files in the conf directory in the nginx installation directory
upstream aaa {
Ip_hash;
server 39.105.59.4:8080;
Server 39.105.59.4:8081;
}
server {
listen 80;
server_name ;
#root /usr/local/nginx/html;
#index ;
location / {
proxy_pass http:39.105.59.4;
index ;
}
}
Drawbacks:
Easy to cause a single point of failure, if one server is down, then the session information on that server will be lost
No load balancing on the front end, if there is, session binding will be problematic
Pros:
Simple configuration
Option 4: redis-based session storage solution
Schematic flow of redis-based session storage program
Introducing pom dependencies:
<dependency> <groupId></groupId> <artifactId>spring-session-data-redis</artifactId> </dependency> <dependency> <groupId></groupId> <artifactId>spring-boot-data-starter-redis</artifactId> </dependency>
Configuring redis
#redis database index (default is 0)
=0
=127.0.0.1
=6379
# Default password is empty
=
# Maximum number of connections in the connection pool (a negative number means there is no limit)
-active=1000
# Connection pool maximum blocking wait time (negative number means no limit)
-wait=-1ms
#Maximum free connections in the connection pool
-idle=10
# Minimum free connections in the connection pool
-idle=2
# Connection timeout (milliseconds)
=500ms
Pros:
- This is one of the most used in the business
- spring has encapsulated spring-session for us, directly introduce the dependency can be
- Data is stored in redis for seamless access without any security risks
- redis itself can do clustering, build a master-slave, and at the same time convenient management
Drawbacks:
One more network call, the web container needs to access to the redis
summarize
Generally, the server where the web container resides and the server where redis resides are placed in the same server room to reduce network overhead and connect via intranet.
This is the whole content of this article.