The things in the distributed system that are synchronized in the session

A few weeks ago, a friend in the Lao Wang's public number Simplemain asked Lao Wang, said now there are more than one server, how to solve the session synchronization between these servers problem? Lao Wang came to spirit, because in the year before, Lao Wang in school and several students together so-called entrepreneurship, also encountered similar problems. At that time looked at a lot of information, did not solve, so later engaged in Baidu, finally learned the "Sunflower Treasure Book", Just Taichetaiwu. So, today I would like to share with you about the session synchronization of those things.

Holding the principle of problem-driven, old Mr. Wang to mention a few questions:

1. What is a session? What is a cookie? What's the difference between the two of them?

2, why do you want to synchronize the session between multiple servers?

3, and what are the methods to achieve this synchronization?

Everyone move the bench, Lao Wang began to pull the light ~

1 , Session and the Cookies the lingering and wallowing

I believe there are friends like Lao Wang, once for the session and Cookie tangled, or is now struggling for them. The session in English means a meeting, while a cookie is a cookie. How did you say the meeting and the cookie were linked? (You can eat cookies during a meeting)

Let's take a look at the explanation of Baidu Encyclopedia:

A, Cookies:

Cookies, sometimes in their plural form, are the data (usually encrypted) stored on the user's local terminal by certain websites in order to identify the user and track the session. Cookies are generated by the server and sent to User-agent (typically a browser), and the browser saves the key/value of the cookie to a text file in a directory, Send the cookie to the server the next time you request the same website (provided the browser is set to enable cookies)

B, Session:

In a computer, especially in a network application, it is called "Session control." The Session object stores the properties and configuration information required for a specific user session. This way, when a user jumps between the application's Web pages, the variables stored in the session object are not lost, but persist throughout the user's session. When a user requests a Web page from an application, if the user does not yet have a session, the Web server automatically creates a Session object. When the session expires or is discarded, the server terminates the session.

Do you understand? I have to pack a ticket, there must be a friend did not read. Lao Wang himself is so to understand them:

A, Cookies:

Browser request server, the server in order to distinguish between different user requests, you need to tag them, such as: issued an access token (Access_token) to the client. The process of issuance is achieved by setting HTTP Header:set-cookie when the HTTP request is returned.

The above is my request for Baidu, he gave me the cookies issued. Each set-cookie typically contains settings for key=value, expiration time, and domain and path.

When the browser receives such a return header, it will save his steady, and each time he sends the request, he will take it with him (depending on the expiration time, the domain and the path of action).

What does this cookie look like? Like the authorities give us the I.D.? You go to the relevant department to apply, he will put your ID, gender, age and so on to you a message called the ID of the east, and then sent to you. You'll need to bring these cookies with you every time you do something critical.

The general server will put some cookies in the browser similar to the access token (access_token), User ID (user_id) and so on, so that when you visit the corresponding website, he will recognize you. In particular, Java-like servers, there are some similar jsession_id cookies, the server uses a certain algorithm (such as the random algorithm), generate a certain length (such as 10 bytes) of the string "Angowberup", and then issued to the browser: Set-cookie:jssesion_id= Angowberup, when the browser received this Cookie, like to get the treasure, good to the key and the value of the collection, each time to go to the server request to take.

B, Session:

At the same time, the server put the string "Angowberup" as key, a class called user user, set the ID, nickname, and so on, into a map-like container: Map.put ("Angowberup" , user). When the browser request comes, the server will GetCookie ("jsession_id"), take this kind of string in the browser, and then use this string to find the map to see if there is a corresponding user object: Map.get (sessionId). If taken, the description will find the user's ID, nickname and so on information, directly on the page can be displayed: "Lao Wang Hello, welcome back!" ”。 If not found, it is possible to jump to the login page and let the user do the login.

When we visit a website for a certain period of time, the process of requesting a different page is called a session. In the same session, we can record the status and information of user access. In this way, the map-like container is the session manager.

In an image metaphor, if the cookie is an ID, the session is your file. All your information is stored in the file, and the relevant department (server) manages your file. When you want to do important things, you need to take the ID card to the relevant departments to extract files, the relevant departments to check the files, and then see if you want to do things. If you do bad things, they will write something bad in your file (session), of course, if you get any prize, you will go inside.

This is not a bit clear what is the connection and difference between the cookie and the session? Let's summarize briefly:

A, a cookie is the server issued to the client some of the identity, let the client remember each time the request to take, to distinguish between different users;

B, the session is the server stored in its own user-related data, with each user brought by the cookie to extract, restore a previous visit to the history or related environment.

Well, with the above, then we need to discuss the session manager that is similar to map.

2 , Session the management

It says that the server uses a map-like container to manage the session. How does this map come to be implemented in particular?

Different servers and different language frameworks have different implementations. Java servers, for example, are stored in a file-like way, with memory caches. Lao Wang also heard that some of the language of the server to encrypt the data, and then set to a cookie, saved to the client (browser). What are the pros and cons of these implementations? Let's analyze it one by one. (Of course, there may be other methods of implementation, Lao Wang may not understand, but the general idea is similar, if there are omissions please correct)

A, File mode: This way, the file as a map, when a new data is added, the file is added similar to a piece of data:

Angowberup =

data={"user": {"id": 1, "nickname": "Lao Wang"}};

expiry= "2016-10-0100:00:00"

(Of course, it's possible to implement it in a binary way, not a string)

The advantage of this approach is the ability to store a large number of user sessions, making the session valid for a longer period of time (for example: three months without user login). But this way also has the corresponding problem, is the file operation is more troublesome. For example, if a user's session expires and the record needs to be deleted, the file needs to be moved or rewritten.

B, Cache mode: There are a lot of web-based logical servers in this way. The benefits of this approach are very obvious, which is very simple to implement. Put all the data into the memory cache. If there is a failure, the direct memory deletion is possible. However, the problem is also obvious, when the server restarts, all sessions are lost. Or when there are a large number of users logged in (or may be under attack), will soon let the cache be filled, and then a large number of sessions by the LRU algorithm eliminated, resulting in a large number of session failures, so that users need to repeatedly login and other operations.

C, Cookie mode: This way is the most lazy way. Is my server any data is not saved, I have all of your clients as my memory, I need to do a cryptographic and decryption operation. Of course, the biggest benefit of this approach is that it's extremely simple (and there are other benefits, but it's also obvious) that the client wants to record a lot of information and keep the encrypted information safe. This is not a good way to store big data in a session.

In addition to the advantages and disadvantages mentioned above, a, b two ways there is another problem is that when I have more than one server, the session data sharing between different servers is problematic.

For example, initially I had only one server 1, and his session recorded the data of User-1 and user-2. This time, I need to add a server 2. When Nginx forwarded the user's request to server 2, he was dumbfounded: the user with a Jsession_id=angowberup this cookie came over, but in his session manager can not find such a session data. What should I do?! Bitter Annoyed! Ah! ）

As a result, there is the question we started with in our article: how can a user session be synchronized in a distributed system?

3 , Session the synchronization

With the above situation, we have to consider how to implement the session synchronization between multiple servers. There are several common practices that we take a look at:

A, inter-process communication transfer session data.

This is one of the easiest ways to think about it. We open a socket in a different Server service and then use the socket to pass the session data that is owned by each other. I remember how Tomcat used to do that many years ago (it's been a long time since Tomcat was used, and I don't know if I'm still using it).

The benefits of this approach are obvious, the principle is simple and clear, the disadvantage is also obvious, is the synchronization process complex, but also easy to cause synchronization delay. For example, a user logged in server-1, server-1 stored the user's session, when is preparing to synchronize the data to Server-2, because the user access is really too fast (fly general speed), Server-2 has not received the session data from SERVER-1, user access has come. At this time, Server-2 will not be able to identify the user, causing the user to log in again.

And, when there are thousands of servers, session synchronization is a nightmare: Each server will have its own session broadcast to all other machines, but also at any time, can not stop ... (These machines are estimated to be exhausted at last)

B, the way the cookie is stored. We've talked about a lazy way of encrypting session data and storing it in a cookie. When the user requests it, it is read directly from the cookie and then decrypted. This approach really puts the distributed idea to a considerable height. He put the user also as a distributed member, you want to access the data, then you carry him, every time to the server, our server is only responsible for decrypting ...

This is a good choice for systems where only small data is stored in the session and encryption is done better (to prevent collisions from being brute force). He is super simple and doesn't have to think about synchronizing data.

However, if you want to store big data in the session, the situation is not very good to deal with. or security-demanding systems, nor is it too good a way (the data has the risk of being cracked).

C, cache cluster or database to do session management. We can also use another architecture to solve the session synchronization problem, that is, the introduction of a unified session access point.

Our session is placed in the cache cluster or database, and each request is taken from them. In this way, all the machines are able to get the latest session data. This is also a solution for many medium-and large-scale websites. He is relatively simple to implement (using the cache cluster or the master-slave database itself management to achieve multi-machine interoperability), but also high efficiency, security is good.

D, there is also a way to extend from the above way, is to provide session services. This service is responsible for managing the session, the other server each time from the service to obtain session data, so as to achieve data sharing.

If you look closely at Baidu or Google, when you log in, they may let you jump to passport.baidu.com or accounts.google.com the two domain name. These are the same places that they used to do user login and similar session management (Google is not very clear because they've only been in Baidu before). When an access request comes in, the server takes something like session_id from the cookie and uses it to go to the Passport service to request the user's session data.

The benefits of this approach are:

A, can be very convenient to expand the number of user logins and the size of the storage data. At the time of the X-degree, n billion users of the session are in this system to manage;

B, easy to do performance optimization. If you use the cache cluster scheme, if the cache has a machine broken, then it will cause a part of the user session failure, if the database schema, if the volume is too large, there may be performance problems. In the implementation of this scheme, the cache and database can be combined to ensure high efficiency and stability. At the same time, for some interfaces, can do performance optimization, improve query efficiency;

C, external closure, to ensure data security. This approach also has a benefit, that is, encryption algorithms, keys, etc. can be closed inside the system, exposing only the interface, making data security more secure. (The user information is related to the privacy!) ）

However, this approach also has its own problem, is that operations are relatively more complex, it is possible to require a dedicated team to manage these systems.

Of course, in addition to some of the above methods, there are other means (for example, the user cookie at the entrance to the same hash, a user assigned to a fixed machine). In view of the Lao Wang Knowledge Limited, and the code word speed is limited, first introduced these, do not know whether you understand it?

To summarize:

About session synchronization, in fact, there are a lot of solutions, no program is the best, only one solution is the most suitable for your current structure. So, Lao Wang threw a few solutions for everyone to understand. If you can use it in business, Lao Wang is very happy ~

Well, Lao Wang wrote so much today, if you want to listen to Lao Wang continue to talk, please take your little bench every Sunday afternoon, to Lao Wang's public number:Simplemain, Lao Wang and you do not disappear ~

Today there is an extra: you see the article Head chart, is the home leader to do cookies, because of intellectual property rights and in order to please the leadership, in this solemn statement--image by pure! ^_^

The things in the distributed system that are synchronized in the session