1

I have a Asp.Net web application running on Windows 2008 R2 (IIS 7.5). I have two servers WWW1 and WWW2 and the DNS records are set up for round robin DNS for "www". I increased the AppPool timeout and the Session State timeout settings so users don't get logged out after 20 minutes. However I've noticed users are getting logged out randomly. I think what is happening is the user goes to www.foo.com and logs in and then afterward some time the round robin navigates them to the opposite server in the cluster (WWW1 or WWW2) where the cookie was not created and therefore prompts them for a login.

How can I get this to work and still keep my high availability solution using round robin DNS?

David Mathis
  • 247
  • 1
  • 2
  • 8
  • Use sticky sessions - see [this question](http://stackoverflow.com/a/866149/745969) – Tim Jan 23 '13 at 05:30
  • @Tim I don't have a LB here as they are just using round robin DNS to distribute to 2 identical servers WWW1 & WWW2 – David Mathis Jan 23 '13 at 05:44
  • Ah...sorry. Can you use some sort of persistent store (database) or something? Not as quick as a cookie, but just an idea. I haven't had to deal with something like this (yet). – Tim Jan 23 '13 at 05:48

1 Answers1

7

The issue here is each server maintains its own session state in memory and doesn't know about sesssions created on the other server.

To get around this, instead of using the default InProc session state provider you'll need to use the StateServer or SQLServer session state providers.

To do this you'll need to make sure the ASP.NET state service is running on one of your servers and then you'll need to add the following configuration item to the system.web section of your application's web.config file, replacing 'SampleStateServer' with the name of the server you are running the ASP.NET state service on:

    <sessionState mode="StateServer"
      stateConnectionString="tcpip=SampleStateServer:42424"
      cookieless="false"
      timeout="20"/>

Microsoft's documentation on this is available at http://msdn.microsoft.com/en-us/library/ms178586.aspx

Because you are running this in a web farm you'll also need to make sure the web applications on both servers are using the same encryption keys.

For this you'll need to set a machineKey entry in the web.config whic involves adding an entry like the following to the system.web section of the web.config:

<machineKey validationKey="4D0590A0E4DE163BAD0EEEB6747467D770CD5FB2EA95BF02B27787A45CA579DECB01E2A1F16563DBAB44C1C0E54C7E53D65F2A7D0FDF378F4D3702B3F2C8B165" decryptionKey="928771D7B1B8C32608F56AC428EC5902985F6FB2E6E9A78733B6EAA493FA13F5" validation="SHA1" decryption="AES" />

There are several websites which will generate keys for you. I typically use http://aspnetresources.com/tools/machineKey

If you want to use the SQLState provider instead, http://msdn.microsoft.com/en-us/library/ms178586.aspx has all the configuration information under the 'Sql Server Mode' section of the page. The setup for that is slightly more involved as you have to configure a database in which you will store the state.

Glenn Stevens
  • 1,998
  • 13
  • 21
  • I think this is the easiest way for us to go without having to purchase/add hardware to the equation. Changing Session to use a State server and hard code it to WWW1 on both servers. – David Mathis Jan 23 '13 at 19:29
  • If you wanted a more robust load balancing solution then round robin DNS without adding hardware (or standing up a linux VM) you could look at the Network Load Balancing functionality built into Windows 2008. There are caveats about using WNLB (some of which are outlined here: [http://www.serverwatch.com/tutorials/article.php/3928536/Network-Load-Balancing-in-Windows-Server-2008-R2.htm](http://www.serverwatch.com/tutorials/article.php/3928536/Network-Load-Balancing-in-Windows-Server-2008-R2.htm). Of course if you do that you probably want to use a SQLState session provider. – Glenn Stevens Jan 24 '13 at 03:47