HTTP session persistence

Sticky sessions are a mechanism used in load balancing to route user requests to the same server each time to maintain session states.

In particular, sticky sessions, or session persistence, is when you instruct the load balancer to remain linked to a specific node (server) to avoid losing the session data if the request goes to the other server. Essentially, you send the request from a given IP to the delivery server but continue to send follow-up requests to the same server until the session expires. Session persistence is needed when the project has transactions or required data in the session.

Sticky sessions are typically used in situations where you have some data in the session and the sessions are not replicated between servers, but you also need to ensure that the data doesn’t get lost.

CSRF (Cross-Site Request Forgery) filters prevent attackers from tricking users into performing actions, such as updating their login credentials on another website. Without the sticky sessions described above, CSRF protections might be impacted.

Session serialization is the process of converting an object’s state into a format that can be easily stored or transmitted, such as in a file or over a network. This allows the object to be reconstructed later with the same state. Web development typically uses it to maintain user sessions across multiple requests.

As Magnolia currently does not provide serialization of classes for HTTP clustering, persistence of HTTP sessions is disabled by default in the configuration of the Tomcat container bundled together with Magnolia.

Disabling session persistence removes the java.io.NotSerializableException warning from the logs. To disable the persistence in Tomcat bundled together with a previous version of Magnolia, follow the instructions available at the apache.org website.

For more, see SUPPORT-12289.