What have we forgotten | Alexander Mikhailian
An organization migrated from Weblogic to Kubernetes and ditched session cookies for JWT tokens—forgetting why distributed transactions and cookies existed in the first place, breaking file downloads, accessibility, and user sessions in the process.
Read Original Summary used for search
TLDR
• Moving to Kubernetes while keeping "two instances per app" but losing Weblogic's distributed transaction support created race conditions that require manual reboots
• Abandoning session cookies for JWT in Authorization headers made file downloads require JavaScript blob objects, broke screen readers, and forces re-authentication across every SPA
• The API Gateway's JSON-only mandate turned simple file GETs into multipart/form-data responses because they forgot Content-Disposition headers exist
• Root cause: engineering leadership failed to understand why old patterns existed before replacing them with trendy alternatives
In Detail
The author describes an organization that cargo-culted modern technologies without understanding the fundamentals they replaced. When migrating from Weblogic to Kubernetes, they kept the practice of running two instances per application but forgot that Weblogic's distributed transactions were what made this safe. Without that synchronization layer, JPA and ehcache created stateful instances that race against each other, requiring manual reboots to resolve corruption.
The session cookie abandonment created even worse problems. By moving to JWT tokens in Authorization headers (possibly due to GDPR fears or API Gateway investment), they made the frontend download files via JavaScript, create blob objects, and forward them to users—because browsers can't send Authorization headers for direct downloads. The API Gateway's JSON-only requirement meant simple file downloads became multipart/form-data responses with metadata, since they also forgot about Content-Disposition headers. Users now re-authenticate when switching between SPAs because JWT tokens only live in JavaScript execution context, making their OAuth 2.0 SSO workflow pointless. Screen readers barely work.
The author attributes this to engineering leadership failure—possibly from lack of competition, complacency with non-technical leadership, or absence of professional standards enforcement. The follow-up suggests putting JWT in session cookies instead of Authorization headers would solve the binary download and re-authentication problems while maintaining multi-role authorization.