Why is the `Arr-Disable-Session-Affinity` header coming through on my Azure Web App (WebSite)?

8
votes

Following the procedure in this article I disabled the ARR Affinity cookie on my Azure Web App with this header in my responses:

Arr-Disable-Session-Affinity: True

It does remove the cookie, which is very much a good thing. But, the header itself is still coming through. This header doesn't really hurt anything, but according to that same doc it shouldn't be there:

If you add the Arr-Disable-Session-Affinity header to disable the affinity cookie, ARR will not set the cookie, but it will also remove the Arr-Disable-Session-Affinity header itself, so if your process is working correctly, you will see neither.

So...how do I get it to remove the header, too?

2
azureazure-web-app-service
I am about to ask the same question and found yours.Amry
I assume things will go wonky without this header value if the app uses in-process state and scaling?Timothy Lee Russell
@TimothyLeeRussell if you use in-proc state then just don't do anything. The default behavior has session/server affinity so you should be fine. In my case I don't want affinity so I have to add this header to remove it.Michael Haren
@MichaelHaren Thanks, that's what I figured. Unfortunately, security scanners don't like the affinity cookie since it isn't httpOnly and doesn't requireSSL.Timothy Lee Russell
One thing that I realized is that the Azure UI does not reflect properly the change, even if you set the variable in the Web.config the properties in the portal says: ON and does not change accordinglyJavier Hertfelder

2 Answers

1
votes

if you have added the Arr-Disable-Session-Affinity custom header as below in your Azure Web App web.config, then it is a correct behavior you still see the Arr-Disable-Session-Affinity header with value set to true and the ARR cookie removed in your HTTP response. I think it's an incorrect statement in the reference blog you provided which stated that the Arr-Disable-Session-Affinity header will be removed.

If you want to remove that header then the cookie will present, it's mutually exclusive.

<system.webServer>
<httpProtocol>
  <customHeaders>
    <add name="Arr-Disable-Session-Affinity" value="true" />
  </customHeaders>
</httpProtocol>

enter image description here

0
votes

The article you refer to doesn't say specifically how to add the header so I can't tell if you did it correctly. I haven't tested but according to this article you should set it in the Application_PreSendRequestHeaders:

protected void Application_PreSendRequestHeaders()
{
   Response.Headers.Remove("Server");
   Response.Headers.Remove("X-AspNet-Version");
   Response.Headers.Remove("X-AspNetMvc-Version");
   Response.Headers.Add("Arr-Disable-Session-Affinity", "True");
}