backend calls are not sticky (AKA Session affinity)

[tobi-or-not-tobi]

With a backend running multiple pods/nodes, the backend will not been able to send cache invalidations cross a cluster when sub-sequential requests come in too soon. Moreover, if multiple requests are being scattered over multiple nodes, there's latency and unnecessary resources consumed.

Spartacus should interact with a single backend as much as possible for a single client. This is traditionally called "sticky sessions".

CCv2 is partially prepared for this. It adds a ROUTE cookie to the response. This cookie however is not configurable and uses no SameSite policy. This means that a decoupled storefront is likely going to fail to use it, as it's acting on a different domain. Today only chrome seem to have issues with this, but going forward it is expected to see more browsers following.

That being sad, Spartacus today doesn't use the ROUTE cookies. Cookies aren't send with any request at all. In order to leverage the ROUTE cookie, the following must be done:

• Use the withCredentials: true option in the http client, so that cookies are send with each request
• Configure the commerce backend with an additional CORS filter (Allow-Origin-With-Credentials:true) to ensure that the cookies are passing the filter.

[tobi-or-not-tobi]

In order to ensure that Spartacus (or better: angular) will send cookies with a request, requests must be done with withCredentials: true option. This can be done in an interceptor so that we do this in a generic way and ensure that no request forget this.

Once this is in place, an error will be thrown, as an additional backend configuration must be done. A new configuration property must be added corsfilter.ycommercewebservices.allowCredentials = true.

[tobi-or-not-tobi]

The SameSite=None policy will be has been added in ccv2 in release a0096 (see https://jira.hybris.com/browse/MTD-12330)

[tobi-or-not-tobi]

QA:

• configure a ccv2 environment based on application definition release a0096. https://storefront.c39j2-walkersde1-d4-public.model-t.cc.commerce.ondemand.com is having this release applied.
• Configure the OCC client in Spartacus to pass cookies into the request:

backend: {
  occ: {
    baseUrl: 'https://storefront.c39j2-walkersde1-d4-public.model-t.cc.commerce.ondemand.com',
    useWithCredentials: true
  }
}

• verify that a response cookie ROUTE is retrieved for the first OCC request
• verify that the ROUTE cookie is added to all sub-sequential requests

[KateChuen]

1. When we first load SPA, we get the ROUTE cookie in the response of the first occ call.

• Then we get the ROUTE cookie in the subsequent occ requests.

2. But then, when we do a login, we get the ROUTE cookie in the response again (I'm guessing it's because we're starting a new session?). But we have the "set-cookie" parameter displayed twice. ROUTE cookie is displayed in a separate "set-cookie" line. @tobi-or-not-tobi can you confirm it's ok please?

• Then we get the ROUTE cookie in the subsequent occ requests within the same session.

[tobi-or-not-tobi]

@KateChuen
regarding your 2nd observation, I wasn't aware, but this is actually fine. The 2nd creation of the cookie isn't necessary, but doesn't harm either.

Your QA work seem to confirm the aim of this ticket, good stuff.