Home > Software design >  How cookie based authentication works in multiple instance web application?
How cookie based authentication works in multiple instance web application?

Time:09-04

I have a stateless application(asp.net mvc 4.7.2),Which runs on multiple instance.(azure).

My application uses form authentication (cookie based).

When I login in some cases I get response back from diffrent instance and system shows as not logged in, on refresh again shows as logged in. Is this supposed to happen in multiple instance? (not always reproducible when request and response served by same instance, and issue seems to be not reproducible after a while after login)

I tried enabling ARR affinity, and I couldnot reproduce the issue. I tried with 1 instance , and I couldnot reproduce the issue.

But Im not supposed to enable ARR affinity as i constantly scale up and scale down instance counts.(had issue when scale down, user was getting 503).

Is there any solution to fix this issue with login, when we have multiple instance?

CodePudding user response:

ARR affinity idea is to route requests to the same instance (sticky sessions). Usually, it works fine, unless the instance gets removed by some reason.

You will face this issues as you don't have control over the instances / LB. The 'solution' would be to work with some other kind of authentication and with a dedicated session server.

CodePudding user response:

  1. Send the information required to prove authentication in encrypted form in the cookie. So each instance can decrypt it and use it. OR
  2. Store the authentication information in database with a really long key and send the key in the cookie. So each instance can lookup in the database OR
  3. If you want to up your security game, do 2, and encrypt the key and send the encrypted key in the cookie. So each instance can decrypt the key and lookup in the database
  • Related