Reputation: 1010
How cookie based authentication works in multiple instance web application?
I have a stateless application(asp.net mvc 4.7.2),Which runs on multiple instance.(azure).
My application uses form authentication (cookie based).
When I login in some cases I get response back from diffrent instance and system shows as not logged in, on refresh again shows as logged in. Is this supposed to happen in multiple instance? (not always reproducible when request and response served by same instance, and issue seems to be not reproducible after a while after login)
I tried enabling ARR affinity, and I couldnot reproduce the issue. I tried with 1 instance , and I couldnot reproduce the issue.
But Im not supposed to enable ARR affinity as i constantly scale up and scale down instance counts.(had issue when scale down, user was getting 503).
Is there any solution to fix this issue with login, when we have multiple instance?
Upvotes: 4
Views: 1031
Answers (3)
Reputation: 520
The issue with Cookies and multi-instance scenarios is that the instance that creates and signs the token is not guaranteed to be the instance that validates it. That's why ARR affinity solves this issue, because the instance that issues the cookie will always be the instance that validates it.
What needs to happen for both instances to authenticate cookies correctly in this scenario is to store the key ring in a shared location between instances, e.g. SQL, Redis, Azure Key Vault etc.
https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/key-storage-providers?view=aspnetcore-1.0&tabs=visual-studio (I know this is for ASP.NET Core but from a quick search it seems that Data protection API is used on .NET Framework also)
Upvotes: 0
Reputation: 328
- Send the information required to prove authentication in an encrypted format to the cookie. So each instance can decrypt it and use it. OR
- Store the authentication information in the database with a long key and send the key to the cookie. So each instance can lookup in the database OR
- If you want to up your security game, do 2, encrypt the key and send the encrypted key in the cookie. So each instance can decrypt the key and lookup in the database
Upvotes: 0
Reputation: 18387
ARR affinity idea is to route requests to the same instance (sticky sessions). Usually, it works fine, unless the instance gets removed by some reason.
You will face this issues as you don't have control over the instances / LB. The 'solution' would be to work with some other kind of authentication and with a dedicated session server.
Upvotes: 4
Related Questions
- ASP.NET Core Sharing Identity Cookie across azure web apps on default domain (*.azurewebsites.net)
- Asp.net Identity How Authentication Cookie getting validated?
- How does single session logic work on multiple sites? Asp.NET MVC 5 (Google, Gmail, Calendar)
- Sharing authentication cookie among Asp.Net Core 1 (MVC6) and MVC 5 applications
- User Authentication over multiple Webservers in azure
- Make the same cookie readable between different Azure instances
- Cookie management in ASP.NET MVC
- Single Sign on in multiple ASP MVC 3 applications
- ASP.NET Session and Cookies in Multi-tenant application
- Windows Azure: web application on several instances, authentication?