7.18. Making Web Applications Stateless

7.18.1. Basic concept

The HTTP session provided by the servlet API cannot be scaled out as it is because the AP server has its own state. Normally, you need to take the following measures to scale out the AP server.

  1. Enable sticky sessions in the load balancer
  2. use the session replication function of the AP server
  3. set the AP server’s HTTP session destination to NoSQL

1 and 2 are inferior in terms of ease of disposability, as referred to in the Twelve-Factor App, while 2 and 3 are dependent on the AP server.

Although some of the features used by Nablarch depend on HTTP sessions, they are by switching these features to HTTP session-independent ones, the The AP server can be made stateless.

7.18.3. How to implement the HTTP session-independent feature

You can remove dependence on HTTP sessions by configuring each function of Features that depend on HTTP sessions as follows. HTTP rewrite handler

Do not use HTTP Rewrite Handler. If it is used, configure it so that the session scope is not accessed. Hidden encryption

Nablarch provides the feature of hidden encryption. Since this feature is HTTP session dependent, set useHiddenEncryption to false to not use it.

7.18.4. Using the local file system

If you store uploaded files and so on locally on the AP server, they will have state. In such a case, you need to prepare a shared storage space so that the AP server does not have files locally.

7.18.5. Detecting accidental creation of HTTP sessions

To prevent accidental creation of HTTP sessions due to a misconfiguration or an implementation error, a feature to detect the creation of HTTP sessions is provided. When this feature is enabled, an exception is sent when an attempt to create an HTTP session is made.

This feature can be enabled by setting the preventSessionCreation property of the WebFrontController to true (disabled by default at false).

Specifically, the detection function can be enabled by writing the following in the configuration file that defines the components of WebFrontController.

<!-- handler queue configuration -->
<component name="webFrontController"

  <!-- Detecting accidental creation of HTTP sessions -->
  <property name="preventSessionCreation" value="true" />