I am trying to implement user authentication for my website that will sit on multiple servers behind a load balancer. I am hoping there is some secure method that I can use without having sticky sessions turned on at the load balancer so the same users always hit the same server. Does anyone have a solution for this? In research on this I see mentions of using a DB that all servers will hit but I am unsure what sort of information the user should store to send with each request once it has been logged in. Just sending some sort of session id that is associated with a particular user in the DB seems insecure. Or is it just normal to use sticky sessions? I am worried what will happen to the users sessions if a server dies or if the load is not able to spread out properly.
Thank you.