How to do Session Management across clustered environment in AEM?

1
votes

Consider the below scenario:

I have two publish servers to serve the requests behind the dispatcher which is performing some load-balancing mechanism distributing requests between the two servers in a round-robin fashion.

Use Case:

The user enters the login credentials from the login page and clicks 'Submit'. The dispatcher directs the request to 'Publish Server 1'. After successful authentication a session ID is provided to the client and the corresponding session information is stored on the 'Publish 1'.

The user hits another protected page but the dispatcher redirects the request to 'Publish Server 2' which doesn't have the session information corresponding to the session ID.

Plausible result: The session is reset and the user is prompted to login again.

How to handle such a requirement?

Note: My users do not reside in AEM, the authenticity of the users is being validated from a database.

P.S.: I have already been to a few blogs which say that Http Session clustering is not supported by AEM but none of them provides the correct solution to the problem.

3
aemhttpsession
A non-AEM solution may be to use an external data store for your server side session and that data store is common across all publish servers. Each get and set session call would a query to that data store.Abhishek
Hi @Abhishek! Thanks for your suggestion. However, I am looking for some more standard (not necessarily OOTB) AEM specific approach.Karttik Mishra
Hi @KarttikMishra, did you find the solution for this problem? I am also in the same boat as of now.Abie
Hi @Abie I have moved on from AEM for a couple of years now. However, as far as I remember, I investigated two approaches for this. 1. Closed User Group and 2. Sticky Session. Though not a purely AEM construct, Sticky Session was easier to implement and did solve the purpose.Karttik Mishra
Hi @KarttikMishra, yes, the problem is solved for me as well. Sticky session was sufficient to solve my use-case. Thanks!Abie

3 Answers

1
votes

One alternative is to use network routing. We use a load balancer, and it can be configured to enable sticky sessions. It essentially adds a cookie that is used for subsequent requests to route the user to the same publisher that the user hit the first time. This is a non-AEM solution and purely a feature of the network and load balancer, so it may or may not be an option in your case. AEM dispatcher config also allows stickyConnections configuration that sounds like would accomplish the same thing done in a network load balancer.

See also

1
votes

You can do the following

  1. Enable Sticky sessions on both dispatcher and the Load Balancer (if you have one)

    #Allowing Sticky sessions
/stickyConnectionsFor "/content/brand/en-us"

  2. Enable Session Management

    #Configuration to increase session timeout limit
/sessionmanagement
{
        /directory "/mnt/var/www/html/content/.sessions"
        /header "Cookie:login-token"
        /timeout "3600"
}

    PS: 3600s=60mins

0
votes

Two possible solutions -

1)If external IDP provides a service for authentication, then store the authentication information in a cookie. Whichever publisher request goes to, it will use the information in cookie and will check with IDP service for session.

2) If using your custom authentication handler, then use sticky session at dispatcher, this will make sure request goes back to the same publisher where session is active.