0

How does sticky sessions relate to HTTP and HTTPS;

If I place a load balancer in front of some web app servers that run a front end that supports HTTPS, will the sessions remain "sticky" on a typical load balancer that lists "stick sessions" as one of it's supported features?

I understand that question is partly open ended; To clarify, would I require a load balancer that supports sticky HTTPS session specifical or is "sticky sessions" a principal that functions agnostic of the HTTP payload, be it encrypted or not?

Thank you.

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
jwbensley
  • 4,202
  • 11
  • 58
  • 90

2 Answers2

1

Generally sticky is the default for HTTPS and non-sticky is the default for HTTP.

For HTTP you need to enable sticky sessions if part of the session state data is held locally on the server side (either only in RAM or only on local storage). For example, once a connection is authenticated to server A, it needs to continue being routed to server A because server B will require reauthentication.

If subsequent requests will succeed regardless of which server they are routed to then you should not be using sticky.

Non-sticky, if your application supports it, is usually preferred.

bahamat
  • 6,263
  • 24
  • 28
1

Loadbalancers can identify sessions with cookies, parameters in the url, etc. If you use https on your loadbalancer, the loadbalancer has to do all the SSL handling itself, so it can have a look into the session.

So, yes, you need a loadbalancer which terminates the SSL to the client, so it can access the session data. (no Linux Virtual Server or HAProxy for you then)

Falk Stern
  • 141
  • 5
  • 1
    HAProxy supports both native SSL termination or you can use another software like NGiNX to terminate SSL and proxy through HTTP back to HAProxy. Sticky can be achieved directly with HAProxy sticky-table or emulated with inserting cookies. – Hrvoje Špoljar Sep 09 '12 at 14:03
  • @HrvojeŠpoljar , right :) – BigSack Aug 20 '13 at 05:07