291

I want to know the difference between sticky- and non-sticky sessions. What I understood after reading from internet:

Sticky : only single session object will be there.

Non-sticky session : session object for each server node

Lemmy
  • 2,178
  • 1
  • 18
  • 29
Sunny Gupta
  • 6,609
  • 15
  • 50
  • 80

2 Answers2

678

When your website is served by only one web server, for each client-server pair, a session object is created and remains in the memory of the web server. All the requests from the client go to this web server and update this session object. If some data needs to be stored in the session object over the period of interaction, it is stored in this session object and stays there as long as the session exists.

However, if your website is served by multiple web servers which sit behind a load balancer, the load balancer decides which actual (physical) web-server should each request go to. For example, if there are 3 web servers A, B and C behind the load balancer, it is possible that www.mywebsite.com is served from server A, www.mywebsite.com is served from server B and www.mywebsite.com/ are served from server C.

Now, if the requests are being served from (physically) 3 different servers, each server has created a session object for you and because these session objects sit on three independent boxes, there's no direct way of one knowing what is there in the session object of the other. In order to synchronize between these server sessions, you may have to write/read the session data into a layer which is common to all - like a DB. Now writing and reading data to/from a db for this use-case may not be a good idea. Now, here comes the role of sticky-session.

If the load balancer is instructed to use sticky sessions, all of your interactions will happen with the same physical server, even though other servers are present. Thus, your session object will be the same throughout your entire interaction with this website.

To summarize, In case of Sticky Sessions, all your requests will be directed to the same physical web server while in case of a non-sticky load balancer may choose any webserver to serve your requests.

As an example, you may read about Amazon's Elastic Load Balancer and sticky sessions here : http://aws.typepad.com/aws/2010/04/new-elastic-load-balancing-feature-sticky-sessions.html

Chaminda Bandara
  • 1,847
  • 2
  • 26
  • 30
TJ-
  • 13,534
  • 12
  • 57
  • 84
  • 7
    @TJ- what will happen if one node will unavailable? – gstackoverflow Nov 08 '15 at 15:25
  • 24
    In most of the cases, the session will be lost. In case of [AWS ESB](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-sticky-sessions.html) _If an instance fails or becomes unhealthy, the load balancer stops routing request to that instance, instead chooses a new healthy instance based on the existing load balancing algorithm. The load balancer treats the session as now "stuck" to the new healthy instance, and continues routing requests to that instance even if the failed instance comes back._ – TJ- Nov 09 '15 at 02:22
  • 10
    According to what informations does the LoadBalancer make a HTTP session sticky? Especialy on HTTPS connections this issue becomes interesting. Do you feed the LB with the web servers private key, so that it is able to break up the SSL connection and fetch the HTTP session? Or does the LB simply make use of the client IP adress? In this case, what about proxy server where multiple clients use the same IP-address? Or even worse, mobile clients, where the IP-address changes frequently? Or is there even a better technique for that? Thanks – g000ze Feb 01 '16 at 14:12
  • 1
    Yes, there is - cookies :) For the first part - this is a preconfiguration. If you have configured the LB to create sticky sessions, it will help in doing so. – TJ- Feb 01 '16 at 16:32
  • 1
    If the LB is meant to read HTTP cookies, you need to feed it with the web servers private key and certificate in order to read encrypted traffic. This breaks the End-to-End security. Also, the LB's performance will never be the same anymore. Or do I see something wrong? – g000ze Feb 02 '16 at 14:39
  • 7
    Yes, you are absolutely correct. In order to make use of "x-forwarded-for" header or a sticky-cookie in this context, _SSL Termination_ needs to be used and hence, the request needs to be decrypted at the LB. – TJ- Feb 03 '16 at 03:51
  • 5
    @g000ze When dealing with applications that are not served directly to the internet, I believe it's common to enable TLS only on the outermost proxy server. (A load balancer can be regarded, perhaps over simplistically, as a special type of proxy server, that may pass the request on to any of multiple server.) Traffic between the load balancer and the other servers will occur on a local, secured network, and it is therefore often not necessary to encrypt it, or if it needs to be encrypted, a self signed certificate can be sufficient (since the proxy can be configured to trust it). – jpmc26 Feb 20 '16 at 01:34
  • 1
    Am I right in thinking you would almost always want sticky sessions enabled then? – Si-N Mar 16 '17 at 10:59
  • 1
    How are sticky sessions implemented internally? I can image a table that maps an IP address to a server name, but that can grow out of hand pretty quickly, no? – Maria Ines Parnisari Oct 17 '17 at 23:49
  • 4
    IP addresses may not be the right approach. For example, the requests may be routed via a proxy server. One of the approaches is cookies - the load balancer can read/write cookies that may be used to identify and forward the request to the intended server. – TJ- Oct 19 '17 at 15:04
  • @TJ- you said that "Now writing and reading data to/from a db for this use-case may not be a good idea". May I know why? – Gerald Nov 12 '19 at 03:17
  • @TJ- , is non-sticky session the same or equal to "distributed sessions"? – Artanis Zeratul Dec 18 '20 at 02:37
  • What about a session store like Redis to handle all the session's it's probably a good solution. – Snivio Aug 15 '21 at 18:48
120

I've made an answer with some more details here : https://stackoverflow.com/a/11045462/592477

Or you can read it there ==>

When you use loadbalancing it means you have several instances of tomcat and you need to divide loads.

  • If you're using session replication without sticky session : Imagine you have only one user using your web app, and you have 3 tomcat instances. This user sends several requests to your app, then the loadbalancer will send some of these requests to the first tomcat instance, and send some other of these requests to the secondth instance, and other to the third.
  • If you're using sticky session without replication : Imagine you have only one user using your web app, and you have 3 tomcat instances. This user sends several requests to your app, then the loadbalancer will send the first user request to one of the three tomcat instances, and all the other requests that are sent by this user during his session will be sent to the same tomcat instance. During these requests, if you shutdown or restart this tomcat instance (tomcat instance which is used) the loadbalancer sends the remaining requests to one other tomcat instance that is still running, BUT as you don't use session replication, the instance tomcat which receives the remaining requests doesn't have a copy of the user session then for this tomcat the user begin a session : the user loose his session and is disconnected from the web app although the web app is still running.
  • If you're using sticky session WITH session replication : Imagine you have only one user using your web app, and you have 3 tomcat instances. This user sends several requests to your app, then the loadbalancer will send the first user request to one of the three tomcat instances, and all the other requests that are sent by this user during his session will be sent to the same tomcat instance. During these requests, if you shutdown or restart this tomcat instance (tomcat instance which is used) the loadbalancer sends the remaining requests to one other tomcat instance that is still running, as you use session replication, the instance tomcat which receives the remaining requests has a copy of the user session then the user keeps on his session : the user continue to browse your web app without being disconnected, the shutdown of the tomcat instance doesn't impact the user navigation.
Community
  • 1
  • 1
Nico
  • 3,281
  • 3
  • 19
  • 26
  • 13
    Hmm.. reading this I wonder: wouldn't it make sense having a fourth option: Non-Sticky WITH session replication? Or put differently: what is the advantage of having a sticky session if one replicates the session to the different instances anyway? I mean, if you are replicating the sessions across the instances, you could just forward the request to any server as well, right? What am I missing? – dingalapadum Jan 14 '19 at 12:54
  • @dingalapadum you're right, theorically you can have session replication without sticky-session. But in case of a large cluster it's bad for network performance. Then there are some strategies in using session replication with sticky session like this one in tomcat (https://tomcat.apache.org/tomcat-9.0-doc/cluster-howto.html) is to put a sticky session and only one replica (one node here called backup manager that keeps all node session replication). – Nico Jan 14 '19 at 14:20
  • Then sticky session allows you to have only one session replica, which is best in large cluster. – Nico Jan 14 '19 at 14:44
  • 3
    Ah I see - If I understand correctly, you mean that replicating all the sessions across the whole cluster would flood the cluster internally - I see the problem. Oh, and now having a closer look at your answer, I just saw, that this is actually the first case you describe... 'duh me'.. – dingalapadum Jan 14 '19 at 14:58
  • 1
    @dingalapadum your question is welcome it permits to improve the answer – Nico Jan 14 '19 at 15:12