Sessions
IG uses sessions to group requests from a user agent or other source, and collect information from the requests. When multiple requests are made in the same session, the requests can share the session information. Because session sharing is not thread-safe, it is not suitable for concurrent exchanges.
The following table compares stateful and stateless sessions:
Feature | Stateful sessions | Stateless sessions |
---|---|---|
Cookie size. | Unlimited. | Max 4 KBytes. |
Default name of the session cookie. | | |
Object types that can be stored in the session. | Only Java serializable objects, when sessions are replicated. Any object, when sessions are not replicated. | JSON-compatible types, such as strings, numbers, booleans, null, structures such as arrays, and list and maps containing only JSON-compatible types. |
Session sharing between instances of IG, for load balancing and failover. | Possible when sessions are replicated on multiple IG instances. Possible when sessions are not replicated, if session stickiness is configured. | Possible because the session content is a cookie on the user agent, that can be copied to multiple instances of IG. |
Risk of data inconsistency when simultaneous requests modify the content of a session. | Low because the session content is stored on IG and shared by all exchanges. Processing is not thread-safe. | Higher because the session content is reconstructed for each request. Concurrent exchanges don't see the same content. |
About Stateful Sessions
When a JwtSession is not configured for a request, stateful sessions are created automatically. Session information is stored in the IG cookie, called IG_SESSIONID
by default. When the user agent sends a request with the cookie, the request can access the session information on IG.
When a JwtSession object is configured in the route that processes a request, or in its ascending configuration (a parent route or config.json
), the session is always stateless and can't be stateful.
When a request enters a route without a JwtSession object in the route or its ascending configuration, a stateful session is created lazily. The session lasts as follows:
For IG in standalone mode, the duration defined the
session
property inadmin.json
, defaulting to 30 minutes. For more information, see the `session` property of "AdminHttpApplication (admin.json
)".For IG in web container mode, until the session reaches the timeout configured by the web container.
Even if the session is empty, the session remains usable until the timeout.
When IG is not configured for session replication, any object type can be stored in a stateful session.
Because session content is stored on IG, and shared by all exchanges, when IG processes simultaneous requests in a stateful session there is low risk that the data becomes inconsistent. However, sessions are not thread-safe; different requests can simultaneously read and modify a shared session.
Session information is available in SessionContext to downstream handlers and filters. For more info see "SessionContext".
Considerations for clustering IG
When a stateful session is replicated on the multiple IG instances, consider the following points:
The session can store only object types that can be serialized.
The network latency of session replication introduces a delay that can cause the session information of two IG instances to desynchronize.
Because the session is replicated on the clustered IG instances, it can be shared between the instances, without configuring session stickiness.
When sessions are not shared, configure session stickiness to ensure that load balancers serve requests to the same IG instance. For more information, see "Preparing For Load Balancing and Failover".
About Stateless Sessions
Stateless sessions are provided when a JwtSession object is configured in config.json
or in a route. For more information about configuring stateless sessions, see "JwtSession".
IG serializes stateless session information as JSON, stores it in a JWT that can be encrypted and then signed, and places the JWT in a cookie. The cookie contains all of the information about the session, including the session attributes as JSON, and a marker for the session timeout.
Only JSON-compatible object types can be stored in stateless sessions. These object types include strings, numbers, booleans, null, structures such as arrays, and list and maps containing only JSON-compatible types.
Stateless sessions are managed as follows:
When a request enters a route with a JwtSession object in the route or its ascending configuration, IG creates the SessionContext, verifies the cookie signature, decrypts the content of the cookie, and checks that the current date is before the session timeout.
When the request passes through the filters and handlers in the route, the request can read and modify the session content.
When the request returns to the the point where the session was created, for example, at the entrance to a route or at
config.json
, IG updates the cookie as follows:If the session content has changed, IG serializes the session, creates a new cookie with the new content, encrypts and then signs the new cookie, assigns it an appropriate expiration time, and returns the cookie in the response.
If the session is empty, IG deletes the session, creates a new cookie with an expiration time that has already passed, and returns the cookie in the response.
If the session content has not changed, IG does nothing.
Because the session content is stored in a cookie on the user agent, stateless sessions can be shared easily between IG instances. The cookie is automatically carried over in requests, and any IG instance can unpack and use the session content.
When IG processes simultaneous requests in stateless sessions, there is a high risk that the data becomes inconsistent. This is because the session content is reconstructed for each exchange, and concurrent exchanges don't see the same content.
IG does not share sessions across requests. Instead, each request has its own session objects that it modifies as necessary, writing its own session to the session cookie regardless of what other requests do.
Session information is available in SessionContext to downstream handlers and filters,. For more information, see "SessionContext".