What is the difference between a stateless and stateful web tier?
**Stateful web tier**: each web server stores session data locally — in memory or on local disk. A user who authenticates on server A must always be routed back to server A because only that server holds their session. This is enforced via sticky sessions (load balancer affinity). Problems: if server A crashes, the session is lost; scaling horizontally requires either migrating sessions or dropping them; deployments that replace servers terminate sessions.
**Stateless web tier**: no session data lives on the web server. Every request carries all the context needed to process it — either in a token (JWT carries identity and claims) or by looking up shared state in an external store (Redis, Memcached, database). Any web server can handle any request from any user at any time.
**Why stateless is preferred at scale:** - Load balancers can distribute requests to any healthy instance — no sticky sessions - Auto-scaling is clean: add/remove instances without session migration - Rolling deployments work without session drainage delays - Simpler failover — crashed server is replaced transparently
**JWT approach**: the client stores a signed token. The server validates the signature on every request with no lookup. Tradeoff: tokens cannot be invalidated before expiry without a blocklist (which reintroduces shared state). Use short expiry + refresh token rotation.
**Shared session store approach**: sessions live in Redis. Web servers are stateless; Redis holds state. This allows immediate invalidation and richer session data. Redis becomes a stateful tier — it must be highly available with replication.
**In practice**, most production systems are stateless web tier + stateful data tier. The database and cache are inherently stateful; the compute layer is kept stateless. This separation is what allows horizontal scaling of web servers while maintaining data consistency.
The system design interview framing: when asked to scale a web app, moving from stateful to stateless is usually one of the first architectural changes to propose.
| Aspect | Stateful | Stateless |
|---|---|---|
| Session storage | Local to server | External store or client token |
| Load balancing | Sticky sessions required | Any server, any request |
| Horizontal scaling | Complex — session migration | Simple — add instances freely |
| Failover | Session lost on crash | Transparent — another server takes over |
| Deployment | Session drainage needed | Rolling deploys without session loss |
| Token invalidation | Immediate (delete session) | Delayed with JWT; immediate with Redis blocklist |
| Complexity | Simpler auth logic | Requires token design or shared cache |
Correctly explains sticky sessions, why they are a scaling bottleneck, and how moving state to Redis solves it.
Covers JWT tradeoffs (non-revocability), explains that stateless web + stateful data is the canonical pattern, and mentions deployment benefits.
Reading the answer is step one. Explaining it unprompted — under interview pressure — is what actually matters. Get AI-graded feedback on your answer with follow-up probes on your weak points.
Get Graded — Free Assessment