HTTP session:
sequence of network request-response transactions
HTTP is a stateless protocol. A stateless protocol does not require the HTTP server to retain information or status about each user for the duration of multiple requests. However, some web applications implement states or server side sessions using for instance HTTP cookies or hidden variables within web forms.
Server-side sessions:
handy and efficient, but can become difficult to handle in conjunction with load-balancing/high-availability systems and are not usable at all in some embedded systems with no storage. The load-balancing problem can be solved by using shared storage or by applying forced peering between each client and a single server in the cluster, although this can compromise system efficiency and load distribution.
Client-side web sessions:
Client-side sessions use cookies and cryptographic techniques to maintain state without storing as much data on the server. When presenting a dynamic web page, the server sends the current state data to the client (web browser) in the form of a cookie. The client saves the cookie in memory or on disk. With each successive request, the client sends the cookie back to the server, and the server uses the data to "remember" the state of the application for that specific client and generate an appropriate response.
Session Cluster Solution:
Overwrite server side session management module to use single component, such as use Redis Cluster to store session data.
Another article:
CAS Enterprise Single Sign-On:
Central Authentication Service (CAS) project, open source on Github, support below features:
- CAS v1, v2 and v3 Protocol
- SAML v1 and v2 Protocol
- OAuth Protocol
- OpenID & OpenID Connect Protocol
- WS-Federation Passive Requestor Protocol
- Authentication via JAAS, LDAP, RDBMS, X.509, Radius, SPNEGO, JWT, Remote, Trusted, BASIC, Apache Shiro, MongoDb, Pac4J and more.
- Delegated authentication to WS-FED, Facebook, Twitter, SAML IdP, OpenID, OpenID Connect, CAS and more.
- Authorization via ABAC, Time/Date, REST, Internet2's Grouper and more.
- HA clustered deployments via Hazelcast, Ehcache, JPA, Memcached, Apache Ignite, MongoDb, Redis, DynamoDb, Couchbase and more.
- Application registration backed by JSON, LDAP, YAML, JPA, Couchbase, MongoDb, DynamoDb, Redis and more.
- Multifactor authentication via Duo Security, YubiKey, RSA, Google Authenticator, Microsoft Azure and more.
- Administrative UIs to manage logging, monitoring, statistics, configuration, client registration and more.
- Global and per-application user interface theme and branding.
- Password management and password policy enforcement.
refer: https://en.wikipedia.org/wiki/Session_(computer_science)#Server-side_web_sessions
