Can anybody describe when the value of the AWSALBAPP (Application-based cookie) cookie is set as _remove_ and why there's more than one cookie (AWSALBAPP-0, AWSALBAPP-1, AWSALBAPP-2, AWSALBAPP-3) present in the request if the application-based cookie selected only JSESSIONID?
The aws documentation mentions:
Since most browsers limit cookies to 4K in size, the load balancer shards application cookies greater than 4K into multiple cookies. Application Load Balancers support cookies up to 16K in size and can therefore create up to 4 shards that it sends to the client. The application cookie name that the client sees begins with “AWSALBAPP-" and includes a fragment number.
It is not clear how the ALB generates this value.
For the _remove_ value, It is just a way to ensure that it replaces any previously stored value. If the ALB detects a value in AWSALBAPP-1 it will concat this value with AWSALBAPP-0 value internally. If its value is _remove_, it will be ignored.
