Stateful vs Stateless Architecture
Let’s take an example to understand the concept of stateful and stateless architecture. Whenever we visit any website let's say flipkart.com, the User needs to provide the user id and password for login to that site. Then Server will check in the database whether a valid user or not.
In the case of Stateful Architecture, If the user is valid, then the server creates some session data and stores it in the server and returns some reference identifier to the user for future reference. The user needs to send the identifier to the server for further access to any particular page on that site. and the server will check with the session data which was created earlier, if it’s a valid identifier then only the user can access the requested page and the state of the user will be stored in that server. Stateful Architecture works fine with a single server but faces some issues with the horizontal scaling of the system.
Let's take an example and see how horizontal scaling will not work for stateful architecture. There is more than one server in the system, So the user makes a call to the load balancer, then the user ‘A’ is connected to server 1. After authentication, server 1 stored the session data and sends identifiers to the user in returns. Let's say user A wanted to buy some items from Flipkart/ Amazon and added the items in the cart while connected with server 1, then server 1 crashed. So now user A can connect to some other server through load balancer but the state of the user is lost. So the user needs to add all the items to the cart all over again. This is the main issue with stateful architecture as a state of the information is maintained in the server, so if there is an issue with the server then the state of the user will be lost.
In a Stateless architecture, We don’t maintain the state of the user in any particular server, We always stored it in shared storage( cache or database). So that if any server crashed, the state of the user will be safe in the shared location and can be accessed through any server. It is easily scalable.
In the case of Stateful architecture, memory used on the server-side is much more as session data is stored and less memory is used on the client-side, as only session reference is stored. But in the case of stateless architecture, only the signature key is stored in the common cache of the server-side which takes less memory and reduces the number of database access. Stateless authentication stores the user session data ( token) on the client-side( browser). That token allows the users to access protected pages and resources for a finite time without having to re-enter their username and password. The token is signed by the server to ensure integrity and authenticity. So, the server can only verify its validity by checking whether the payload and the signature match.
Some disadvantages of Stateless authentication are:
- The server has no right to revoke the session as the session data is stored on the client-side.
- To add any new property to the session data, the server can ask the client to update it, but can't make sure to update it till its expiration as the user can still use the old session data.