Session cookies with load balancing (Not sticky sessions)

Carlos picture Carlos · Jul 20, 2012 · Viewed 7.1k times · Source

I have scanned RFC 6265 but did not find the answer to the following.

I want to put a naive round-robbin load-balancer in front of multiple servers for a single webapp. The load-balancer does not provide sticky sessions. So a client will typically bounce from one appserver to another on successive requests.

On the first connection, the client has no SID and is randomly routed to, say, server A.
Server A responds with a session cookie, a nonce.

On the next connection, the client includes the SID from server A in the HTTP headers. This time the client is randomly routed to, say, server B. Server B sees the SID which (one hopes!) does not match any SID it has issued. What happens? Does server B just ignore the "bad" SID, or complain, or ignore the request, or what?

The idea is, I don't want to use session cookies at all. I want to avoid all the complexities of stickiness. But I also know that my servers will probably generate -- and more to the point look for -- session cookies anyway.

How can I make sure that the servers just ignore (or better yet not set) session cookies?

Answer

lawnmowerlatte picture lawnmowerlatte · Jul 30, 2012

I think the answer to this will vary greatly depending on the application that is running on the server. While any load balancer worth its salt has sticky sessions, operating without them can be done as long as all the servers in the pool can access the same session state via a centralized database.

Since you are talking about session IDs, I'm guessing that the application does rely on session state in order to function. In this case, if the request came in with a "bad" session ID, it would most likely be discarded and the user prompted to log in — again, the precise behavior depends on the app. If you were to disable session cookie entirely, the problem would likely get worse since even the absence of an ID would likely result in a login prompt as well.

If you really want to avoid complexity at the load balancer, you will need to introduce some mechanism by which all servers can process requests from all sessions. Typically this takes the form of a centralized database or some other shared storage. This allows session state to be maintained regardless of the server handling that particular request.

Maintaining session state is one of the sticking points (pun intended) of load balancing, but simply ignoring or avoiding session cookies is not the solution.