Working on the server side of a java based web application (will serve mobile and web clients) and I need to implement users authentication. In production I have 2 servers (duplicated, working against the same DB) with a load balancer. I used Spring security before so this is the most intuitive way for me but here is my issue:
Spring security authenticates the user once against the DB (when the user logs-in) and later requests are processed and authenticated using a session based token. Now, suppose that one of my production servers is down then I’m loosing my session, meaning the user will get some sort of “unauthorized” response. How can I deal with this?
I thought of 3 options
So these are my thoughts, I would like to get your insights about those and new suggestions if you have.
How about the state the user maintains across the session?
If you have such a situation, than you’ll lose the data if the server fails.
I think the best would be starting with sticky session mechanism here and leaving the authentication as is.
Sticky session can be configured on the load balancer and usually means the following:
I don’t think that authenticating each request is a good idea (think about web 2, ajax requests) – this will make your server and db highly loaded and as a result it won’t be able to process a lot of users/requests simultaneously.
Hope this helps