IIS 7.5 Load Balancing--do Sessions stick to the originating server?

0
votes

Apologies if there is an answer already out here but I've looked at over 2 dozen threads and can't find the specific answer.

So, for our ASP.NET (2.0) application, our infrastructure team set up a load balancer machine that has two IIS 7.5 servers. We have a network file server where the single copy of the application files reside. I know very little about the inner workings of load-balancing and even IIS in general.

My question is regarding sessions. I guess I'm wondering if the 'balancing' part is based on sessions or on individual page requests.

For example, when a user first logs in to the site, he's authenticated (forms), but then while he navigates around from page to page--does IIS 7.5 automatically "lock him in" to the particular server that first logged him in and authenticated him, or could his page requests alternate from one server to the next?

If the requests do indeed alternate, what problems might I face? I've read a bit about duplicating the MachineKey, but we have done nothing in web.config regarding MachineKey--it does not exist there at all.

I will add that we are not experiencing any issues (that we know of anyway) regarding authentication, session objects, etc. - the site is working very well, the question is more academic, and I just want to make sure I'm not missing something that may bite me down the road.

Thanks, Jim

1
asp.netiis-7.5load-balancing
You need same MachineKey on your servers for the encryption purposes. For example, if you don't have sticky session, your page may postback to different server. Without same machine key your second server will not be able to read the viewstate, etc. And then there is password hashing, etc. stackoverflow.com/questions/6801019/machinekey-on-web-farm.T.S.
See this answer stackoverflow.com/questions/16194328/…T.S.

1 Answers

2
votes

while he navigates around from page to page--does IIS 7.5 automatically "lock him in" to the particular server that first logged him in and authenticated him

That depends on the configuration of the load balancer and is beyond the scope of a single IIS. Since you haven't provided any information on what actual balancer you use, I can only provide a general information - regardless of the balancer type (hardware, software), it can be configured for so called "sticky sessions". In such mode, you are guaranteed that once a browser establishes connection to your cluster, it will always hit the same server. There are two example techniques - in first, the balancer just creates a virtual mapping from source IP addresses to cluster node numbers (which means that multiple requests from the same IP hit the same server), in second - the balancer attaches an additional HTTP cookie/header that allows it to recognize the same client and direct it to the same node.

Note that the term "session" has nothing to do with the server side "session" where you have a per-user container. Session here means "client side session", a single browser on a single operating system and a series of request-replies from it to your server.

If the requests do indeed alternate, what problems might I face

Multiple issues. First, encryption, if relies on machine key, will not work. This means that even forms cookies would be rejected by cluster nodes other than the one that issued the cookie. A solution is to have the same machine key on all nodes.

Another common issue would be the inproc session provider - any data stored in the memory of one application server will not "magically" appear on other cluster nodes, thus, making the session data unavailable. A solution is to configure the session to be stored in a separate process, for example in a sql server database.

I will add that we are not experiencing any issues (that we know of anyway) regarding authentication, session objects

Sounds like a positive coincidence or the infrastructure team has already configured sticky sessions. The latter sounds possible, the configuration is usually obvious and easy.