0

I was reading this article about troubleshooting Azure Application Gateway Session Affinity Issues, and listed as a possible cause it states "My application cannot handle cookie-based affinity", how do I know if my ASP.Net web application can handle cookie based affinity or not?

Thanks,

Vic
  • 2,878
  • 4
  • 36
  • 55
  • Does your application use Session-state? – Dai Apr 18 '20 at 02:03
  • yes, we store a lot of information on the session – Vic Apr 18 '20 at 02:06
  • it is an old application, and definitively it was not designed with load balancing or failover support in mind, but we're trying to avoid having to re-write the session handling at this time and just trying sticky sessions for the moment, but having some problems in there, so trying to figure if we need to change something on the website to support cookie affinity or if it is all configured within Azure. – Vic Apr 18 '20 at 02:09
  • Ensure your affinity cookie is served with the correct `SameSite`, `Secure`, and `HttpOnly` attributes. Is anything intercepting the cookies? Are you using the correct cookie names? What exactly was the test report’s details? – Dai Apr 18 '20 at 02:39
  • But the cookie configuration happens outside the ASP.net project right? That's configured in azure using something like an ingress controller for instance correct?, what I'm trying to figure is how to determine if my web project can handle the affinity cookie, do I need to add something to the web config or modify the request headers on every controller or create a specific cookie with specific values within my c# code? – Vic Apr 18 '20 at 21:36
  • "But the cookie configuration happens outside the ASP.net project right?" - that depends on how your infrastructure is set-up. If it's a conventional ASP.NET or ASP.NET Core web-application that's hosted in IIS then all cookie management happens inside ASP.NET/ASP.NET Core and your application's code. If you're using a "dumb" reverse-proxy (aka Application Gateway or Ingress Controller) **without** any custom logic then that won't make a difference. If you've configured your ARR or NLB to do something to cookies then it gets complicated. – Dai Apr 19 '20 at 04:58
  • In short: We need you to post a LOT more details about your application before we can give any specific advice - there's too much information you've left-out of your post. – Dai Apr 19 '20 at 04:58
  • it is a conventional ASP.NET web-application deployed to IIS on the VM, very basic and in front of the VM's we put an application gateway but that was causing the requests to bounce every time and the user was being logout so a load balancer (lvl 4) was placed between the application gateway and the VM's which is kind of a hack but what we would like is to remove the load balancer and have the application gateway do the balancing with sticky sessions. – Vic Apr 20 '20 at 15:21
  • Apologies if have misundersood the issue -The application gateway can only perform session-based affinity by using a cookie. If the application cannot handle cookie-based affinity, as a workaround you could use Azure Load Balancer. One of the way to check Cookie-based Affinity is to use Network trace/Fiddler trace to review the session logs, to determine whether the cookies provided by the client have ARRAffinity details. – AjayKumar Apr 21 '20 at 08:02
  • If you're actually looking for IIS configration for to set cookie/session based, see https://learn.microsoft.com/iis/application-frameworks/scenario-build-an-aspnet-website-on-iis/configuring-step-2-configure-asp-net-settings#cookie-mode-for-session-state - configuration of IIS on an Azure VM is generally the same as on-prem. – AjayKumar Apr 21 '20 at 08:05

1 Answers1

0

Firstly, as you're hosting the website on an Azure VM, you would typically deal the same way as you would on-prem, unlike on Azure App Service VM- for this setting - you can just toggle switch to enable or disable ARR Affinity from Azure Portal > Application Settings.

Kindly refer this blog Upcoming SameSite Cookie Changes in ASP.NET and ASP.NET Core for the latest changes.

Just to clarify -The application gateway can only perform session-based affinity by using a cookie. From your issue description, you have set "cookieBasedAffinity": "Enabled", as mentioned in the document, is that correct? You can leverage based on your application needs.

<httpCookies domain="" httpOnlyCookies="true|false" requireSSL="true|false" />

You cannot add cookies in web.config but you can add some custom section to access cookies. You can handle this via code use the System.Web.HttpCookie.HttpOnly property. as mentioned in this article. 

    myHttpOnlyCookie.HttpOnly = true;
    myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
    Response.AppendCookie(myHttpOnlyCookie);

As mentioned in the same document you're referring to, you can review the session logs to determine whether the cookies provided by the client have the ARRAffinity details If you don't find the ARRAffinity details, such as "ARRAffinity= ARRAffinityValue" within the cookie set, that means the client is not replying with the ARR cookie.

Additional discussion on this topic- Token Authentication vs. Cookies

AjayKumar
  • 2,812
  • 1
  • 9
  • 28