3

I have read that, session is against the concept of RESTfulness.

Do sessions really violate RESTfulness?

Session Management in microservices

RESTful Authentication

Since Microservices inevitably use REST, does the same apply here as well? If so, then why do we have Spring session? It even lists 'Spring Session allows providing session ids in headers to work with RESTful APIs' as one of its features.

Mohit Tyagi
  • 2,788
  • 4
  • 17
  • 29
codingsplash
  • 4,785
  • 12
  • 51
  • 90
  • This is going to be primarily opinion-based, but I don't have a problem with sessions as long as the sessions aren't part of the server's local state (e.g., you use Spring Session with Redis). – chrylis -cautiouslyoptimistic- Oct 18 '17 at 05:44

1 Answers1

17

Apart from Scaling as an advantage of micro-services, it also provides you with the flexibility to choose polyglot architecture i.e (using the right programming language, framework, database for the right job).

If you use spring sessions(which off-course provides session replication across nodes), internally it uses Redis/gemfire/hazelcast as a replicated session store, but you will have to stick to one programming language & framework for all your services i.e Java & Spring resp.(You can off course write your own implementation in other languages to read from session store, but its re-inventing the wheels) And this will take away Benefit of Polyglot Architecture.

So typically in microservices architecture, you have a token-service(and it should be able to scale individually) implementation to generate tokens(aka sessionIds) which are used for Authentication & Authorization in each service and you should try to avoid storing the session information. It will also help to avoid "Single point of Failure".

thealchemist
  • 421
  • 4
  • 12
Jaydeep Rajput
  • 3,605
  • 17
  • 35