Session Mechanisms, Distributed Session Challenges, and SSO Solutions with CAS Implementation

When a product matrix grows, users must log in to multiple systems, which hurts experience and raises password‑management costs. To improve usability, a unified authentication approach is needed.

Traditional Session Mechanism and Authentication

Because HTTP is stateless, each request creates a new thread on the server without preserving user context. A JSESSIONID cookie is generated to identify a user session stored on the server. If the cookie is disabled, URL rewriting is used to pass the session ID.

Server‑side processing of a request follows these steps: (1) check for a session ID in the cookie; (2) retrieve the session data from server memory; (3) if the ID is missing, create a new session and send the cookie back.

Session Sharing in a Cluster

In a distributed deployment, load balancers may route consecutive requests from the same user to different servers, causing the session to be unavailable on the second server. Two main solutions exist:

Session replication – copy session data to all nodes (high cost, latency issues).

Centralized session storage – store sessions in a shared store such as Redis, allowing all servers to read the same data.

Single Sign‑On (SSO) Background

Enterprises often have many independent systems, each requiring its own login, which is cumbersome for users. SSO lets a user log in once and access all systems via a ticket that links to a central authentication service.

CAS (Central Authentication Service) Implementation

The CAS flow works as follows:

User accesses system B, which redirects to ouath.com for login.

User logs in, CAS creates a cookie for its domain and stores <ticket, sessionId> in Redis.

System B receives the ticket, retrieves the session ID from Redis, creates a local session, and redirects the user back.

The overall interaction diagram is shown in the article.

Code Example – CAS Login Service

User entity:

public class UserForm implements Serializable {
    private static final long serialVersionUID = 1L;
    private String username;
    private String password;
    private String backurl;
    // getters and setters omitted for brevity
}

Login controller:

@Controller
public class IndexController {
    @Autowired
    private RedisTemplate redisTemplate;

    @GetMapping("/toLogin")
    public String toLogin(Model model, HttpServletRequest request) {
        Object userInfo = request.getSession().getAttribute(LoginFilter.USER_INFO);
        if (userInfo != null) {
            String ticket = UUID.randomUUID().toString();
            redisTemplate.opsForValue().set(ticket, userInfo, 2, TimeUnit.SECONDS);
            return "redirect:" + request.getParameter("url") + "?ticket=" + ticket;
        }
        UserForm user = new UserForm();
        user.setUsername("laowang");
        user.setPassword("laowang");
        user.setBackurl(request.getParameter("url"));
        model.addAttribute("user", user);
        return "login";
    }

    @PostMapping("/login")
    public void login(@ModelAttribute UserForm user, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
        request.getSession().setAttribute(LoginFilter.USER_INFO, user);
        String ticket = UUID.randomUUID().toString();
        redisTemplate.opsForValue().set(ticket, user, 20, TimeUnit.SECONDS);
        if (user.getBackurl() == null || user.getBackurl().length() == 0) {
            response.sendRedirect("/index");
        } else {
            response.sendRedirect(user.getBackurl() + "?ticket=" + ticket);
        }
    }

    @GetMapping("/index")
    public ModelAndView index(HttpServletRequest request) {
        ModelAndView mv = new ModelAndView();
        UserForm user = (UserForm) request.getSession().getAttribute(LoginFilter.USER_INFO);
        mv.setViewName("index");
        mv.addObject("user", user);
        return mv;
    }
}

Login filter (session validation):

public class LoginFilter implements Filter {
    public static final String USER_INFO = "user";
    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest request = (HttpServletRequest) servletRequest;
        HttpServletResponse response = (HttpServletResponse) servletResponse;
        Object userInfo = request.getSession().getAttribute(USER_INFO);
        String requestUrl = request.getServletPath();
        if (!"/toLogin".equals(requestUrl) && !requestUrl.startsWith("/login") && userInfo == null) {
            response.sendRedirect("/toLogin?url=" + request.getRequestURL());
            return;
        }
        filterChain.doFilter(request, response);
    }
}

A similar SSOFilter retrieves the ticket from the request, loads the user from Redis, puts it into the session, and deletes the ticket.

CAS vs OAuth2

CAS focuses on authenticating users for web SSO (client‑side resource protection), while OAuth2 authorizes third‑party applications to access a resource server on behalf of a user (server‑side resource protection).

In summary, the article provides a complete walkthrough of session handling, distributed session sharing, and a practical CAS‑based SSO implementation with Java, Spring Boot, and Redis.