My, Myself and John Doe

Aka, session, current_user and impersonation

Problem

1. Keep same functionality

2. Sharding

3. Sharded user session

4. Sharded session data

5. Reusability

How to make it all work?

Let's start with understanding our options

Cookie based session

How does it work?

  1. The client sends a login request to the server.
  2. On login, the server includes the Set-Cookie header 
    Set-Cookie: SESSION_ID=abcde12345; Path=/; HttpOnly
  3. This cookie is now included in each request
  4. On the server side we store additional data associated with SESSION_ID 
    Session.find_by(session_id: cookie['SESSION_ID']).user

Good news!

We can access cookie in all subdomains

Bad news!

Shared data

  • memcached
  • global db users, clients, etc..
  • user credentials are still in each shard
  • user credentials are still in each shard

OAuth2

How does it work?

Good news!

No need for shared sessions!

Bad news!

We need to make sure that old passwords/tokens still work

JWT: no need for session data at all

How does it work?

Good news!

No need for storing session data + plays nice with OAuth2

Bad news!

Not well researched, might be not suitable to legacy apps

Back to where we started

Alternative #1

Alternative #2

Alternative #3

kthxbai