4

I have a stateless application(asp.net mvc 4.7.2),Which runs on multiple instance.(azure).

My application uses form authentication (cookie based).

When I login in some cases I get response back from diffrent instance and system shows as not logged in, on refresh again shows as logged in. Is this supposed to happen in multiple instance? (not always reproducible when request and response served by same instance, and issue seems to be not reproducible after a while after login)

I tried enabling ARR affinity, and I couldnot reproduce the issue. I tried with 1 instance , and I couldnot reproduce the issue.

But Im not supposed to enable ARR affinity as i constantly scale up and scale down instance counts.(had issue when scale down, user was getting 503).

Is there any solution to fix this issue with login, when we have multiple instance?

vishnuprasad kv
  • 990
  • 5
  • 22
  • 46
  • Can't you keep the whole session information as a JSON in the cookie, so that the client sends it every time no matter which instance it goes to? – root Sep 03 '22 at 20:33
  • @root Cookies should be kept as small as possible (browsers have a 4KB limit per domain _for all cookies combined_). Storing _all_ immutable/invariant security claims in cookies is fine (but don't use JSON: it's far too verbose, instead use a more efficient approach - which is a tad difficult as Cookies are plaintext, not binary). However **do not** store mutable session data in cookies because if the user makes concurrent requests in the same session (e.g. browsing the same site in multiple browser tabs) that trigger cookie updates then you'll run into some _hard_ problems. – Dai Sep 04 '22 at 20:30

2 Answers2

4

ARR affinity idea is to route requests to the same instance (sticky sessions). Usually, it works fine, unless the instance gets removed by some reason.

You will face this issues as you don't have control over the instances / LB. The 'solution' would be to work with some other kind of authentication and with a dedicated session server.

Thiago Custodio
  • 17,332
  • 6
  • 45
  • 90
0
  1. Send the information required to prove authentication in an encrypted format to the cookie. So each instance can decrypt it and use it. OR
  2. Store the authentication information in the database with a long key and send the key to the cookie. So each instance can lookup in the database OR
  3. If you want to up your security game, do 2, encrypt the key and send the encrypted key in the cookie. So each instance can decrypt the key and lookup in the database
Akashgreninja
  • 501
  • 5
  • 11
Ilam
  • 308
  • 3
  • 10