[keycloak-dev] Clustering and user sessions

Marek Posolda mposolda at redhat.com
Wed Sep 17 06:46:33 EDT 2014 

I am thinking about scenario like this (assuming sessionIdleTimeout is 5 
minutes and cluster update period is 60 seconds) :
* User login at time 0
* At time 4:30 he refresh token, which will update lastSessionRefresh on 
his userSession. This will happen on cluster node1
* At time 5:15 he sends another refresh token request, which would be 
redirected by loadbalancer to node2 this time. Assuming that last 
cluster update from node1 to node2 happened at 4:20, so next update will 
happen at 5:20. So ATM node2 will see that session is idle for 5 minutes 
and 15 seconds (as last refresh at 4:30 is not yet visible to node2). So 
node2 will logout session due to timeout.

So right now it seems safer to me to update lastSessionRefresh 
immediatelly to cluster. Or am I missing something?

I wonder if access to each UserSession can always happen just to same 
cluster node, but it seems that we won't be able to guarantee this . 
Even with sticky sessions, the communication from same user (and 
USerSession) can happen either via browser (SSO login to different 
application) or via back channel from adapters (refreshing tokens etc) 
and right now I am not seeing much way to guarantee sticky session 
between those .

Marek

On 15.9.2014 14:52, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Monday, 15 September, 2014 2:41:39 PM
>> Subject: Re: [keycloak-dev] Clustering and user sessions
>>
>> Only works for session refreshes.  Also leaves an open window that the
>> user is still logged in after they log out.
> Yes, it's only for session refreshes, but IMO that's going to be the biggest traffic generator. For login and logouts we're going to have to send a message per event.
>
>> On 9/15/2014 8:28 AM, Stian Thorgersen wrote:
>>> Had an idea with regards to clustering and user sessions. Instead of
>>> sending messages to the cluster when a individual user session is
>>> refreshed all nodes send a periodic update message. Obviously that's only
>>> for user sessions and not for admin updates, where we should still send
>>> invalidation messages for each update.
>>>
>>> Each node would keep a note of all user sessions where it has updated
>>> LastSessionRefresh, and once every period it would send this list to all
>>> nodes. This should mean that instead of sending a message every time a
>>> single session is updated, we send a single message per node every 60
>>> seconds or so (should be configurable). When receiving a message from the
>>> cluster the node would go through the list and update the user sessions
>>> where the received LastSessionRefresh is higher than the one it has
>>> itself. Nodes still use the mem user sessions store, but with the cache on
>>> top.
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list