I'm calling an Azure app service app and found these two cookies:
I understand the ARRAffinity cookie is to make sure the request is always sent back to the same backend instance, but what is the ARRAffinitySameSite cookie for?
Asked
Active
Viewed 3,124 times
3
David Klempfner
- 8,700
- 20
- 73
- 153
-
`ARRAffinitySameSite` is for Azure Web Sites for load balancing our application and ensures that, during any browsing session, the visitor's page requests are forwarded to the same server. – Harshitha Aug 28 '22 at 15:57
-
@HarshithaV Then what's the `ARRAffinity` cookie for? – David Klempfner Aug 28 '22 at 23:05
-
Please refer [ARRAffinity](https://appserviceblog.com/en/arr-affinity-azure-app-services/) – Harshitha Aug 29 '22 at 06:48
1 Answers
3
The purpose of ARRAffinitySameSite and ARRAffinity cookies is the same - they help to direct requests to the correct instance in load-balanced environments.
The only difference between them is the SameSite attribute. ARRAffinitySameSite was introduced when Chromium-based browsers enforced the new SameSite policy in 2020.
However, some old browsers do not support the SameSite attribute and Azure keeps the cookie ARRAffinity for backward compatibility.
Anna Gevel
- 1,103
- 1
- 11
- 20
-
I thought if something is not supported, it's just ignored. Couldn't it just use the one cookie with the SameSite attribute, and it'd just ignore it if it's not supported? – David Klempfner Aug 31 '22 at 01:20
-
2Azure can't tell old browsers to ignore the SameSite attribute. For instance, Chrome versions 51-66 and similar Chromium-based browsers reject cookies with `SameSite=None` which was correct according to the cookie specification at that time. If Azure did not keep the original `ARRAffinity` cookie, then sticky sessions would not work for these browsers and requests could go to any instance in the cluster. – Anna Gevel Aug 31 '22 at 08:29