Hello everyone, I am a CRUD engineer here again. Recently, one of my colleagues suddenly looked at distributed Seesion
issues, and then the two of us discussed with each other. Today I want to Session
sort out the distributed knowledge points. .
In many systems, the user's login function is Session
used to realize the user's login function. The client fills in the user name and password, sends a request, and the server creates Session
and returns the current Session
corresponding one after receiving the request JessionId
, which is stored in the browser cookie
. When the client calls other methods to send a request to the server, it will carry it JessionId
. After receiving the request, the server verifies Session
whether it exists and then determines whether the user is logged in.
In a distributed environment, Session
problems will arise. If the server is deployed on two servers A and B
When the user logs in, the request falls on server A. Server A creates a request Session
and returns it JessionId
;
When the user obtains personal information, the request falls on Server B, and the corresponding information carried in the request cannot JesssionId
be found on Server B.Session
At this time, server B will return an abnormal reminder to the client (the user is not logged in), and the client will receive the return value, and the user will find that he is redirected to the login interface by T again.
Session
Next, let’s look at how to achieve consistency in a distributed environment
1. Client storage
Since in a distributed environment, multiple requests from a client may land on multiple servers, can we change the strategy and store the Session
information directly on the client?
The answer is of course yes. The server Session
stores the information directly in the server cookie
, which ensures Session
the consistency of the server. However, we do not recommend doing this, which will cause data security risks, because storing some information in the server is cookie
equivalent to This information is exposed to the client, which poses serious security risks.
shortcoming
- System security issues
- Cookies have restrictions on data type and data size
2. Session copy
Copy server A's Session
to server B, and also Session
copy server B's to server A, so that the two servers Session
are consistent. Like tomcat
other web containers, they all support Session
the replication function. In the same LAN, one server Session
will broadcast to other servers.
shortcoming
- If there are too many servers in the same network segment, each server will copy the session, which will cause a waste of server memory.
3. Session stickiness
Use Nginx
the server's reverse proxy to proxy server A and server B, and then use ip_hash
the load strategy to bind the client and server, that is to say, client A accesses server B for the first time, then the second time The access must also be to server B, so there will be no Session
inconsistency problem.
shortcoming
- If server A goes down, client A and client B
Session
will be lost, and all requests from clients A and B will fail.
4. Session centralized management
Session
This method is to manage all servers in a unified manner, and can use redis
other high-performance servers for centralized management Session
, and spring officially provides spirng-session
this way to deal with Session
consistency issues. Session
This is also a distributed solution currently used by many enterprises .
spring-session actual combat
Spring
Provides Session
a solution for dealing with distribution - Spring Session
. Spring Session
Provides APIs and implementations for managing user sessions.
Spring Session
Provides support for commonly used repositories such as redis
, mongodb
, , etc., and provides transparent integration with , which means that developers can switch implementations using supported implementations .mysql
Spring Session
HttpSession
Spring Session
HttpSession
Spring Session
I found an implementation flow chart on the Internet
Spring Session
and added a SessionRepositoryFilter
filter to modify the packaging request and response. The packaged request is, when the method is SessionRepositoryRequestWrapper
called, it is actually called .getSession()
Spring Session
Session
Spring Session
It is very simple to use. After adding the relevant dependencies, HttpSession
the effect can be achieved by direct operation.
pom.xml
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-data-redis</artifactId>
</dependency>
yml
spring:
session:
# session 失效时间(分钟)
timeout: 86400
# session 使用redis存储
store-type: redis
# redis 配置
redis:
# redis 端口号
port: 6379
# redis 服务器地址
host: localhost
# redis库
database: 0
# redis 密码
password: 123456
Use session
public String test( HttpServletRequest request){
HttpSession session = request.getSession();
session.setAttribute("key_big_handsome","value:it is me");
return session.getAttribute("key_big_handsome").toString();
}
After executing this method, we look at redis
- The first one is used to represent
Session
expiration in Redis. This kv does not store any useful data, it is justSession
set to represent expiration.Redis
The expiration time of this key in isSession
the expiration interval. - The second one that stores this
Session
id is aSet
type ofRedis
data structure. The last 1681633260000 value in this key is a timestamp calculated based on the Session expiration moment rolled to the next minute. - The third one is used to store
Session
detailed information, includingSession
expiration interval, latest access time,attributes
etc.
Spring Session
There is a timed task in , every full minute will query the expiration in the corresponding spring:session:expirations:
full minute timestamp SessionId
, and then visit this again SessionId
, that is spring:session:sessions:expires:SessionId
, so that the key expiration event can be Redis
generated in time—that is, Session
the expiration event.