在分布式系统架构中,用户请求可能被负载均衡器分发到不同的服务器节点。如果用户的第一次请求落在服务器A并创建了Session,而第二次请求被路由到服务器B,服务器B无法识别该用户的Session状态,导致用户需要重新登录,这显然是灾难性的用户体验。
三种解决方案
粘性会话(Sticky Sessions)
例如在Nginx的负载均衡策略中,通过IP哈希等策略将同一个ip的用户请求固定到同一服务器中,这样session自然也没有失效。
缺点:单点故障风险高(服务器宕机导致Session丢失);扩容时Rehash引发路由混乱。
Session复制
例如在Tomcat集群中实现Session复制,需通过修改配置文件使不同节点间自动同步会话数据。集群内所有服务器实时同步Session数据。
缺点:同步开销随服务器数量指数级增长,引发网络风暴和内存浪费。
redis统一存储
SpringBoot整合Spring Session,通过redis存储方式实现session共享。
通过集中存储Session(如Redis),实现:
- 无状态扩展:新增服务器无需同步Session,直接访问中央存储。
- 高可用性:即使单服务器宕机,会话数据仍可从Redis恢复,用户无感知。
- 数据一致性:所有服务器读写同一份Session数据,避免状态冲突
Spring Session + Redis集成
添加依赖
在pom.xml中引入关键依赖:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-redis</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.session</groupId>
<artifactId>spring-session-data-redis</artifactId>
</dependency>
配置Redis连接
在application.properties中加上Redis的配置:
spring:
data:
redis:
host: localhost
port: 6379
redis配置类
需要注入一个名为springSessionDefaultRedisSerializer的序列化对象,用于在redis中写入对象时进行序列化,不然session中存入对象会抛出异常。
package com.morris.redis.demo.session;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.data.redis.serializer.GenericJackson2JsonRedisSerializer;
@Configuration
public class RedisConfig {
@Bean
public GenericJackson2JsonRedisSerializer springSessionDefaultRedisSerializer() {
// 需要注入一个名为springSessionDefaultRedisSerializer的序列化对象
// 不然session中存入对象会抛出异常
return new GenericJackson2JsonRedisSerializer();
}
}
不需要显示的通过注解@EnableRedisHttpSession来开启session共享。
使用Session
package com.morris.redis.demo.session;
import jakarta.servlet.http.HttpSession;
import org.springframework.web.bind.annotation.*;
@RestController
public class AuthController {
@PostMapping("/login")
public String login(HttpSession session, @RequestBody User user) {
// 验证用户凭证...
session.setAttribute("currentUser", user);
return "登录成功,SessionID:" + session.getId();
}
@GetMapping("/profile")
@ResponseBody
public User profile(HttpSession session) {
// 任意服务节点都能获取到相同Session
return (User) session.getAttribute("currentUser");
}
}
session共享验证
调用登录接口:
$ curl --location --request POST 'http://172.23.208.1:8080/login' --header 'Content-Type: application/json' --data-raw '{"name": "morris"}' -v
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 172.23.208.1:8080...
* TCP_NODELAY set
* Connected to 172.23.208.1 (172.23.208.1) port 8080 (#0)
> POST /login HTTP/1.1
> Host: 172.23.208.1:8080
> User-Agent: curl/7.68.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 18
>
* upload completely sent off: 18 out of 18 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 200
< Set-Cookie: SESSION=ZTE0Yjc5NjItODFiZS00ZGYwLWE0NDktYTBjNmQ4ZjUxYmYy; Path=/; HttpOnly; SameSite=Lax
< Content-Type: text/plain;charset=UTF-8
< Content-Length: 63
< Date: Tue, 24 Jun 2025 03:23:52 GMT
<
* Connection #0 to host 172.23.208.1 left intact
登录成功,SessionID:e14b7962-81be-4df0-a449-a0c6d8f51bf2
可以看到返回的响应头中带有cookie,后续请求需要带上这个cookie去请求接口才能识别出用户。
查询用户信息:
$ curl --location --request GET 'http://172.23.208.1:8080/profile' --cookie 'SESSION=ZTE0Yjc5NjItODFiZS00ZGYwLWE0NDktYTBjNmQ4ZjUxYmYy'
{"name":"morris"}
可以修改端口再启动一个服务,换个服务查询用户信息:
$ curl --location 'http://172.23.208.1:8082/profile' --cookie 'SESSION=ZTE0Yjc5NjItODFiZS00ZGYwLWE0NDktYTBjNmQ4ZjUxYmYy'
{"name":"morris"}
高级配置
自定义Cookie配置(支持跨域)
@Bean
public CookieSerializer cookieSerializer() {
DefaultCookieSerializer serializer = new DefaultCookieSerializer();
serializer.setCookieName("JSESSIONID");
serializer.setDomainNamePattern("example.com");
serializer.setCookiePath("/");
return serializer;
}
Spring Session核心原理
SessionAutoConfiguration
这就是为什么不需要使用注解@EnableRedisHttpSession来开启session共享。
SessionAutoConfiguration类中会引入RedisSessionConfiguration。
@Configuration(proxyBeanMethods = false)
@ConditionalOnMissingBean(SessionRepository.class)
@Import({ RedisSessionConfiguration.class, JdbcSessionConfiguration.class, HazelcastSessionConfiguration.class,
MongoSessionConfiguration.class })
static class ServletSessionRepositoryConfiguration {
}
RedisSessionConfiguration类中会引入RedisHttpSessionConfiguration:
@Configuration(proxyBeanMethods = false)
@ConditionalOnProperty(prefix = "spring.session.redis", name = "repository-type", havingValue = "default", matchIfMissing = true)
@Import(RedisHttpSessionConfiguration.class)
static class DefaultRedisSessionConfiguration {
而注解@EnableRedisHttpSession引入的配置类也是RedisSessionConfiguration:
@Retention(java.lang.annotation.RetentionPolicy.RUNTIME)
@Target({ java.lang.annotation.ElementType.TYPE })
@Documented
@Import(SpringHttpSessionConfiguration.class)
public @interface EnableSpringHttpSession {
}
SessionRepositoryFilter
自定义过滤器SessionRepositoryFilter拦截所有请求,透明地替换了Servlet容器原生的HttpSession实现。
将请求包装为SessionRepositoryRequestWrapper:
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
throws ServletException, IOException {
request.setAttribute(SESSION_REPOSITORY_ATTR, this.sessionRepository);
SessionRepositoryRequestWrapper wrappedRequest = new SessionRepositoryRequestWrapper(request, response);
SessionRepositoryResponseWrapper wrappedResponse = new SessionRepositoryResponseWrapper(wrappedRequest,
response);
try {
filterChain.doFilter(wrappedRequest, wrappedResponse);
}
finally {
wrappedRequest.commitSession();
}
}
HttpServletRequestWrapper
HttpServletRequestWrapper中重写getSession()方法实现session会话替换。
public HttpSessionWrapper getSession(boolean create) {
HttpSessionWrapper currentSession = getCurrentSession();
if (currentSession != null) {
return currentSession;
}
S requestedSession = getRequestedSession();
if (requestedSession != null) {
if (getAttribute(INVALID_SESSION_ID_ATTR) == null) {
requestedSession.setLastAccessedTime(Instant.now());
this.requestedSessionIdValid = true;
currentSession = new HttpSessionWrapper(requestedSession, getServletContext());
currentSession.markNotNew();
setCurrentSession(currentSession);
return currentSession;
}
}
else {
// This is an invalid session id. No need to ask again if
// request.getSession is invoked for the duration of this request
if (SESSION_LOGGER.isDebugEnabled()) {
SESSION_LOGGER.debug(
"No session found by id: Caching result for getSession(false) for this HttpServletRequest.");
}
setAttribute(INVALID_SESSION_ID_ATTR, "true");
}
if (!create) {
return null;
}
if (SessionRepositoryFilter.this.httpSessionIdResolver instanceof CookieHttpSessionIdResolver
&& this.response.isCommitted()) {
throw new IllegalStateException("Cannot create a session after the response has been committed");
}
if (SESSION_LOGGER.isDebugEnabled()) {
SESSION_LOGGER.debug(
"A new session was created. To help you troubleshoot where the session was created we provided a StackTrace (this is not an error). You can prevent this from appearing by disabling DEBUG logging for "
+ SESSION_LOGGER_NAME,
new RuntimeException("For debugging purposes only (not an error)"));
}
S session = SessionRepositoryFilter.this.sessionRepository.createSession();
session.setLastAccessedTime(Instant.now());
currentSession = new HttpSessionWrapper(session, getServletContext());
setCurrentSession(currentSession);
return currentSession;
}
RedisSessionRepository
RedisSessionRepository负责创建RedisSession。
public RedisSession createSession() {
MapSession cached = new MapSession(this.sessionIdGenerator);
cached.setMaxInactiveInterval(this.defaultMaxInactiveInterval);
RedisSession session = new RedisSession(cached, true);
session.flushIfRequired();
return session;
}
RedisSession
session保存时使用的是sessionRedisOperations,其实就是RedisTemplate,这个RedisTemplate是spring session自己创建的,而不是使用的项目中的。
private void save() {
saveChangeSessionId();
saveDelta();
if (this.isNew) {
this.isNew = false;
}
}
private void saveDelta() {
if (this.delta.isEmpty()) {
return;
}
String key = getSessionKey(getId());
RedisSessionRepository.this.sessionRedisOperations.opsForHash().putAll(key, new HashMap<>(this.delta));
RedisSessionRepository.this.sessionRedisOperations.expireAt(key,
Instant.ofEpochMilli(getLastAccessedTime().toEpochMilli())
.plusSeconds(getMaxInactiveInterval().getSeconds()));
this.delta.clear();
}