Session shared by multiple apps crashes due to ClassNotFoundException

[cscheffel]

We try to use spring-session within multiple apps (i.e spring-boot apps) and a central redis instance.

Some of our apps use spring webflow and session based proxy beans to manage the applications state. So the session includes some application specific classes serialized binary.

If app 1 stores an object of class A into the session and app 2 does not include a Class of type A, the deserialization during the session load from redis crashes.

Of course, one solution would be to use different redis instances for different app clusters, but because we use a bunch of mircoservices with spring boot, this is not an option,

Another solution would be to use an app specific prefix for the redis session keys (i.e. "spring:session:sessions-appspecific:" instead of "spring:session:sessions:".

I tried this to configure in RedisOperationsSessionRepository, but there is not option to do so. In addition, there are some other places, where the session string is hardcoded.

I tried to manipulate the session key builder directly, but it is private.

The Question: Are there any plans to support app-cluster-local session keys in spring session or any other idea to solve this problem?

[rwinch]

I guess my question is...how does app 1 and app 2 see the same session id? Spring Session typically stores the session cookie in a cookie with a path of the context root. So this means that the session id for app 1 should not be visible to app 2.

[cscheffel]

In the current preproduction-state, all the services run under "localhost" with different ports. You are right (of course), that this is a "developer only"-problem, so I guess, that this will not be the case for us in production (thanks for the question like answer).

BUT: What about Rest-based services used internally in our datacenter?

There we will have serveral apps (i.e. rest services) on the same host using different ports only. I know, that a "good" rest service should be state free, but sometimes real life doesn't allow this.

Today, this is not a current problem because we have not switched all services to spring session, but I have to keep this in mind.

So, maybe my original question isn't so stupid.

[rwinch]

I know, that a "good" rest service should be state free, but sometimes real life doesn't allow this.

A "good" REST service should have no state in the server. The state is transferred into data stores (i.e. a database). So I think this is perfectly reasonable.

If someone disagrees with you...ask them "If the client truly had all the state, what would be the point of communicating with the server?" No one complains when a REST service stores application data in a data store, why this hang up with Session? The reason I have found is that Session typically has historical connotations that makes people uneasy (likely due to using it wrong).

So, maybe my original question isn't so stupid.

Hopefully I didn't come off condescending (it was not my intention). I was not trying to imply the question was stupid. I'm just wanting to understand the problem before we try to solve it :)

The more I think about it, the more I agree that developers may need to isolate Spring Session for their application without requiring another database.

Can you create a ticket that we can use as an enhancement request to support Session Isolation?

[cscheffel]

I like to create a ticket, but do not see, where and how to do this.

I looked at http://jira.spring.io where all other spring projects can be found but can't see spring session there.

Would it be enough for you to write down the text here (or in a new issue)?

[rwinch]

Sorry I was not more explicit. Spring Session uses GitHub to manage tickets. I realize this is technically a ticket, but this is more of a discussion than a specific request to have a single redis instance in our tracking. If someone read the heading of this issue in release notes, it would not really clue them in as to what the new feature is.

I'd create it myself, but I have found typically it is best to have the person with the request create it because we don't get lost in translation.

Thanks again for your feedback on Spring Session!

[cscheffel]

I have opened an enhancement request under #166 and will close this question.

[rwinch]

Thanks @cscheffel !