As discussed at Disable Session affinity cookie (ARR cookie) for Azure web apps - Azure App Service, ARRAffinity cookie is a built-in feature of Azure App Service to facilitate session data management. Today we would like to study a typical case to help those concerned to avoid potential business impact.
At most of the time, the web app works fine, then suddenly, the issue comes up.
When the issue was happening: The user was kept directing to the login page, it seems the user was kept logging out by someone else.
The web app has below settings:
After the investigation, we found out that the issue caused by the ARRAffinity. And it can reproduced by the below steps:
Access the web app through the root domain (Here we are testing with domain boqianwebsite.org and www.boqianwebsite.org ), we can see the value of domain attribute for the ARRAffinity cookie is root domain boqianwebsite.org .
If the worker instance is removed from the service plan, and the ARRAffinity of this removed instance would become invalid. To simulate this operation, we update the above ARRAffinity to an invalid value.
This issue are caused by 2 facts:
To solve this problem, we have 2 options:
Considering the implementation of those two options and the customer's environment (they has direction rule, which hoping the user can access the site from the subdomain instead of root domain), we chose the option 1: We keep the subdomain's ARRAffinity cookies only, then the app service FrontEnd can always pick up the correct one. And this can be easy achieve by adding the below path of code into the web.config: Set ARRAffinity Cookies after direction.
<httpProtocol>--> <redirectHeaders> --> <!-- disable the ARRAffinity cookie, returned only when redirection occurs. --> <add name="Arr-Disable-Session-Affinity" value="true" /> </redirectHeaders> </httpProtocol>
After this change, when we access the web app with the root domain http://boqianwebsite.org , we can see that there is a new header added in the response Arr-Disable-Session-Affinity: true , but there is no ARRAffinity cookies was set.
The ARRAffinity was set only when the request directed to the subdomain www.boqianwebsite.org , and if we refresh the page, this cookies keeps the same.
Hope above case study helps!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.