spring session - prevent concurrent modification of session

0
votes

is it possible to prevent concurrent modifications of a session when running multiple load balanced instances of an application?

Context: Multiple tomcats, all running the same application. The application uses spring session to store the sessions in a redis cluster. A load balancer distributes incoming requests to one of the tomcats (non-sticky). User hits Button, tomcat 1 processes the request very slowly (performance problem or whatever). User hits Button again, tomcat 2 is much faster and replies success. User proceeds to following pages. Tomcat 1 finishes the very first request and overwrites the session – the data of all proceeding pages is lost.

A solution would be to lock the session. Thereby tomcat 2 can detect the concurrent modification and reply with an error (much better than getting an inconsistent state).

Thx a lot AB

1
spring-session

1 Answers

1
votes

Spring Session does not use any session locking mechanisms as this would have a very negative impact of performance. Note that your example focuses on a single conversation, while lock would affect all requests the belong to a given session many of which are perfectly safe to be executed concurrently.

For scenario from your example, another mechanism should be employed to provide protection. This could be something simple like disabling the button on UI until the action is completed, therefore preventing the subsequent request, or using CSRF protection which would ensure that every request that modifies the server-side.

Also note that most of the session repository implementations provided by Spring Session provide optimizations of write operations whose goal is to reduce race conditions - this includes checking the session for modifications prior to saving, and also in some cases optimized save operations that write only the attributes that have changed. This is handled different in each session repository due to different nature of underlying data stores so check the SessionRepository#save implementation in repository of your choice.

Perhaps somewhat related, Spring Session provides integration with Spring Security's concurrent session control starting from release 1.3.0 (which is, at the time of writing this post, in release candidate phase). You can check the reference manual for details.