7.18. Making Web Applications Stateless ¶

Table of contents

Making Web Applications Stateless

7.18.1. Basic concept ¶

The HTTP session provided by the servlet API cannot be scaled out as it is because the AP server has its own state. Normally, you need to take the following measures to scale out the AP server.

Enable sticky sessions in the load balancer
use the session replication function of the AP server
set the AP server’s HTTP session destination to NoSQL

1 and 2 are inferior in terms of ease of disposability, as referred to in the Twelve-Factor App, while 2 and 3 are dependent on the AP server.

Although some of the features used by Nablarch depend on HTTP sessions, they are by switching these features to HTTP session-independent ones, the The AP server can be made stateless.

7.18.2. Features that depend on HTTP sessions ¶

The following features depend on the HTTP session by default.

7.18.3. How to implement the HTTP session-independent feature ¶

You can remove dependence on HTTP sessions by configuring each function of Features that depend on HTTP sessions as follows.

7.18.3.1. Session store ¶

Save the expiration date in the database

7.18.3.2. Double submission prevention ¶

Double submission prevention using the database

7.18.3.3. Thread context cariable management handler ¶

Do not use the following components in thread context initialization.

Each of the following components can be substituted as implementations that do not use HTTP sessions.

7.18.3.4. HTTP rewrite handler ¶

Do not use HTTP Rewrite Handler. If it is used, configure it so that the session scope is not accessed.

7.18.3.5. Hidden encryption ¶

Nablarch provides the feature of hidden encryption. Since this feature is HTTP session dependent, set useHiddenEncryption to false to not use it.

7.18.4. Using the local file system ¶

If you store uploaded files and so on locally on the AP server, they will have state. In such a case, you need to prepare a shared storage space so that the AP server does not have files locally.

7.18.5. Detecting accidental creation of HTTP sessions ¶

To prevent accidental creation of HTTP sessions due to a misconfiguration or an implementation error, a feature to detect the creation of HTTP sessions is provided. When this feature is enabled, an exception is sent when an attempt to create an HTTP session is made.

This feature can be enabled by setting the preventSessionCreation property of the WebFrontController to true (disabled by default at false).

Specifically, the detection function can be enabled by writing the following in the configuration file that defines the components of WebFrontController.

<!-- handler queue configuration -->
<component name="webFrontController"
           class="nablarch.fw.web.servlet.WebFrontController">

  <!-- Detecting accidental creation of HTTP sessions -->
  <property name="preventSessionCreation" value="true" />