Introduction
The stateless filter overrides the standard session management and stores session
data outside of the J2EE server. This allows to set up load-balanced application quickly,
without using session stickyness or cluster configuration.
The filter supports pluggable backends. Current ones are :
- plaincookie : Stores the session in a plain or compressed cookie.
- aescookie : Stores the session in an encrypted and compressed cookie.
- memcache : Stores the session in a memcache server.
Note that the session can be stored partially on each backend. For e-commerce applications,
basket data can be stored in an encryted cookie with unlimited life time, while account
informations are stored in memcache.
How it works
Status
This filter is still in a beta status. Feel free to test it and report success and issues.
Pros
- Same configuration on all J2EE servers.
- Can use simple loadbalancers (does not require sticky sessions)
- 1:1 scalability with cookies.
- Reduced memory usage because no session data are stored on the server.
- Developpers can restart server without loosing their session.
- Help to detect clustering issues during developpment.
Cons
- Higher CPU usage.
- Not a standard mechanism.
- When data are stored on the client side, there is a security issue. Always use aescookie
for encryption. If your key is compromised, an attacker will be able to inject data and code
within your application.
- Same constraints than clustering : session objects must be Serializable and session#setAttributes()
should be called for efficient change detection.
