HttpSession for microservices

Question

I understand that token based authentication is widely used for microservices, esp, when there is horizontal scaling.

For microservices also, can we use sessions by storing it in database? The series of requests would be :

• First request, HTTPsession is created and session id stored in a database table along with unique username.
• Second request is sent with this session id, and any microservice instance can serve this request. Server has to verify this session and user with that of the database record. If sesssionid+username combo is present in database and sessionid is a valid one, then serve the request else redirect to login page.
• When logout is clicked, session is invalidated and db record is also removed.

Will this not be a good session management for microservices? Do Microservices always have to be stateless?

Answer 1

The reason token based authentication is used for microservices, is to avoid having to share session state between the services.

If you specifically refer to an implementation of the javax.servlet.http.HttpSession object, this is normally local to one server (service) and it would take some custom code to reload this based on the session id provided, if at all possible in your particular runtime (don't know what software you are using).

I don't see why your suggestion wouldn't be possible though, but I would carefully consider if it is an absolute requirement. There might be other, simpler, ways to achieve what you want.

One way of doing it would be to issue a token (JWT comes to mind) when logging in, and having the other services simply verify this token and extract the user data from it. This way no lookup of user data is required for authentication after the first login.

If shared state is what you need, I would suggest finding some existing software to handle the session storage. I see that for instance Redis has a solution for session management.

Also you may check out the answers to this question