17

I have a Windows Azure Website in shared mode.

Now Azure obviously adds two cookies to my web site: WAWebSiteID and ARRAffinity. I learned that those cookies are there to enable sticky sessions with the Application and Request Routing feature (ARR) behind the Azure load balancers.

Nevertheless, my web site does not require sticky sessions, and I don't want to have those cookies around.

First, I never had the slightest idea of sticky sessions crossing my mind, so I wrote the application to scale well with evenly distributed requests on all frontends. Sticky sessions in fact shift the distribution since there are clients doing a lot of requests and clients doing almost none. When only the first request gets distributed and subsequent requests from the same client stick to the same server, this has severe implications on the overall performance of my application.

Secondly, for data privacy reasons I run a cookieless application, and any cookie is considered 'evil'. I know I could delete them with a little bit of javascript, but I don't even want them to be transmitted to the client.

The question is: How can I disable sticky sessions and those two cookies on my Azure website on server side?

Sebastian P.R. Gingter
  • 5,955
  • 3
  • 31
  • 73

2 Answers2

16

Update

You can now turn it off in the portal in the Web App settings. You can also use the resource explorer as described in this blog post: https://blogs.msdn.microsoft.com/appserviceteam/2016/05/16/disable-session-affinity-cookie-arr-cookie-for-azure-web-apps/

Original

I know that this is an old question, but it seems that the Azure IIS ARR has been updated to version 3 and among other new features it has "Session affinity opt-out".

Ben Ari has a post about it here: http://blogs.technet.com/b/erezs_iis_blog/archive/2013/09/16/new-features-in-arr-application-request-routing-3-0.aspx

The short version is that you can add Arr-Disable-Session-Affinity: True to your response headers and sticky sessions will be disabled.

The easiest way is to add the header in the customHeaders node of the web.config file like so:

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Arr-Disable-Session-Affinity" value="True" />
      </customHeaders>
    </httpProtocol>
</system.webServer>
Geoff
  • 4,676
  • 3
  • 26
  • 38
  • Great! I just tried it and it achieves (partially) the goal: The ARRAffinity cookie is not set again. Nevertheless, I still have the WAWebSiteSID cookie hanging around. Looking in the ARR infos for that now. – Sebastian P.R. Gingter Nov 07 '13 at 08:45
  • This is great but now I'm sending this header to the clients instead. I want neither the cookie nor the header in my responses. Anyway to remove both? – rmac Jan 24 '16 at 15:06
0

You can't disable sticky sessions for Azure Web Sites. The ARR and sticky sessions are not for you or your app. These are the founding pillars of how Azure Web Sites work. Stickiness is to route requests to your farm (if you have more than one instance).

Check this video to get deeper understanding of Azure Web sites.

UPDATE

Since this answer was first posted there were a lot of updates to the Azure Web Sites Apps. One of them being the possibility to opt out of Affinity Cookie.

Check Geoff's answer for details!

astaykov
  • 30,768
  • 3
  • 70
  • 86
  • Okay, it seems there is indeed no way around it. Sad. So I have to delete the cookies myself after every request :( – Sebastian P.R. Gingter Jun 13 '13 at 12:18
  • these cookies has nothing to do with your application. They only help Azure Web Sites to work. Why you want to delete them? – astaykov Jun 13 '13 at 12:42
  • As I mentioned already in the question: The amount of requests is very unevenly distributed between the clients. When clients are distributed equally between servers by ARR, and produce very unequal load of subsequent requests, this will end up with some servers under extreme heavy load and some who have almost nothing to do. This just doesn't scale well, and so I absolutely need to remove session stickyness to prevent unequal load distribution. – Sebastian P.R. Gingter Jun 13 '13 at 14:51
  • have you tested that? I doubt that when Azure web sites become GA (now they are in preview) there will be such behavior. I still don't believe this is the case today. The stickiness should only be redirect users to your `farm`, which shall have round-robin. This is my understanding. – astaykov Jun 13 '13 at 18:24