Why is the `Arr-Disable-Session-Affinity` header coming through on my Azure Web App (WebSite)?

Question

Following the procedure in this article I disabled the ARR Affinity cookie on my Azure Web App with this header in my responses:

Arr-Disable-Session-Affinity: True

It does remove the cookie, which is very much a good thing. But, the header itself is still coming through. This header doesn't really hurt anything, but according to that same doc it shouldn't be there:

If you add the Arr-Disable-Session-Affinity header to disable the affinity cookie, ARR will not set the cookie, but it will also remove the Arr-Disable-Session-Affinity header itself, so if your process is working correctly, you will see neither.

So...how do I get it to remove the header, too?

Answer 1

The article you refer to doesn't say specifically how to add the header so I can't tell if you did it correctly. I haven't tested but according to this article you should set it in the Application_PreSendRequestHeaders:

protected void Application_PreSendRequestHeaders()
{
   Response.Headers.Remove("Server");
   Response.Headers.Remove("X-AspNet-Version");
   Response.Headers.Remove("X-AspNetMvc-Version");
   Response.Headers.Add("Arr-Disable-Session-Affinity", "True");
}

Answer 2

if you have added the Arr-Disable-Session-Affinity custom header as below in your Azure Web App web.config, then it is a correct behavior you still see the Arr-Disable-Session-Affinity header with value set to true and the ARR cookie removed in your HTTP response. I think it's an incorrect statement in the reference blog you provided which stated that the Arr-Disable-Session-Affinity header will be removed.

If you want to remove that header then the cookie will present, it's mutually exclusive.

<system.webServer>
<httpProtocol>
  <customHeaders>
    <add name="Arr-Disable-Session-Affinity" value="true" />
  </customHeaders>
</httpProtocol>