Stateless vs. Stateful

• Stateful Services

Stateful service, The server records the client information of each session, so as to identify the client's identity and perform corresponding processing according to the user's identity.

• Stateless Services

Understanding stateful services, stateless services are easy to understand. The most common implementation of stateless services in practice is to use a token-based approach, namely:

1. The server does not save any client session information;
2. Every request from the client must carry a token, which contains authentication, signature-related information (username, role, permissions, etc.);

Problems with traditional session authentication methods

HTTP itself is stateless, short connection, so we have our traditional Cookie-Session mode, which is in the monomerwidely used in architecture.After the user completes the login, the session information with the user is saved in the Session of the server, and then the server responds with a SessionID to the front end, and the front end sends this The SessionID is stored in Cookie, and subsequent requests carry the Cookie information to continue to initiate the request, and the backend queries its corresponding session information to complete the request response.

There are some problems with this approach:

1. Performance: Every time a session is established, the server needs to store the session information, which increases the pressure on the server to store and query, and takes up valuable storage and computing resources;
2. Scalability: The server saves the user state, and it is difficult to expand horizontally. In the microservice environment, it is necessary to perform state replication and synchronization (Session synchronization, Session sharing) on ​​each server before processing.to expand;
3. CSRF attack: Because this method is based on cookie for user identification, if the cookie is intercepted, the user and the server will be attacked by cross-site request forgery;
4. Cross-platform: Sessions and cookies are hard to work with on mobile apps, you cannot share server-created sessions and cookies with mobile terminals.

Workaround:

JWT common concepts & advantages and disadvantages