Forum Discussion

dragonflymr's avatar
dragonflymr
Icon for Cirrostratus rankCirrostratus
May 14, 2015

ASP.NET persistence vs BIG-IP cookie

Hi,

I looked at the post about ASP cookie based persistence and it seems to be quite easy and obvious. What bothers me is what is advantage or rather when it makes more sense to use for example ASP.NET_SessionId cookie and uie and when BIG-IP HTTP cookie insert. Is there in fact any difference in persistence provided by both methods - I mean can it be that ASP.NET_SessionID will be more reliable in directing requests to correct server than HTTP cookie insert?

As side question I am curious if this kind of Set-Cookie headers in response is normal or it is result of some errors on server side?

Set-Cookie: .ASPXANONYMOUS=fNjxtt3E0AEkAAAAMjQwZGVmZDUtYjAxMi00MzlhLWI1ZjctMzA2MTU2Yjc4OGY10; expires=Thu, 23-Jul-2015 00:22:52 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=u5jyy5ccrn354xsytyedwt3l; path=/; HttpOnly
Set-Cookie: .ASPXANONYMOUS=fNjxtt3E0AEkAAAAMjQwZGVmZDUtYjAxMi00MzlhLWI1ZjctMzA2MTU2Yjc4OGY10; expires=Thu, 23-Jul-2015 00:22:52 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=u5jyy5ccrn354xsytyedwt3l; path=/; HttpOnly

Why cookies are repeated? Could it cause any problems with uie ASP.NET_SessionId persistence?

Piotr

application delivery
deployment
design
LTM
TMOS

4 Replies

Sort By
  • Max_Q_factor's avatar
    Max_Q_factor
    Icon for Cirrocumulus rankCirrocumulus
    May 14, 2015

    Those questions may actually be related. Each ASP.net application can set it's own SessionId. say you have 1 application deployed in https://www.site.com/documents and another deployed in https://www.site.com/hr you may end up with multiple ASP.net cookies which could lead to persistence issues. Also each ASP.net application can remove or change the cookies so you may have one application that removes the SessionId, it will be regenerated for the other applications but that may cause perisstance issues.

     

    If you are using a traffic policy (or an iRule like proxy pass) to load balance to different pools via url path or other criteria the F5 cookie option is also nice because F5 will insert a new cookie for each pool name - SOL6917: Overview of BIG-IP persistence cookie encoding

     

    If I were to choose, I would always use the F5 cookie insert because it is a known entity and not externally controlled. On the other hand, it is nice to know when a session no longer needs to be persistent because the SessionId has been removed since the cookie insert is session based.

     

    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      May 14, 2015
      Hi, Thanks for explanation. I've got the point with app session cookie being possible more granular (can change more often than BIG-IP). Then it seems that using app cookie will potentially allow for better LB, when application finishes given session for given user then there is no more need to send another user session to the same server - but it most probably will be the case with BIG-IP cookie. Seems that stuff related to app session can really get complicated with multiple apps running on the same FQDN :-( But I am still curious if duplicate cookies from my example are something usual or not really - notice that two .ASPXANONYMOUS has same value as well as two ASP.NET_SessionId. My Universal persitnece is in the end generating two Persistence Records as result - both are identical - that seems to be overhead and can use resources. What is as well interesting why those cookies has so long expiration - around two months. What factors do you advice to analyse to decide which kind of persistence will be best for given application? Piotr
    • Max_Q_factor's avatar
      Max_Q_factor
      Icon for Cirrocumulus rankCirrocumulus
      May 14, 2015
      The 2 cookie values being the same may be different users - see here - https://stackoverflow.com/questions/2448720/different-users-get-the-same-cookie-value-in-aspxanonymous The cookie timeouts are up to the application owners to set or modify. As far as what type of persistence I would use on a given application I typically use this line of thoughts: Does the application require new layer 4 connections to go to the same host if so: * Does the application have an LTM application layer profile to track it (like FTP, SIP, etc.) if so, use that and no persistence should be required * Is the Application HTTP based (and if encrypted can I decrypt it?) if so I typically use cookie insert, with source ip address as a backup * Is there some other type of object or offset in a request I can use to indicate a session inside the application request to make a decision, like part of a SQL update statement, FQDN, E.164, etc.
    • dragonflymr's avatar
      dragonflymr
      Icon for Cirrostratus rankCirrostratus
      May 14, 2015
      Thanks, will have to dig in a bit. I doubt doubled cookies are because or other user. I tested it with cache and cookies cleared, just one connection to the main page of the site. I checked link you posted but it's about ASPXANONYMOUS cookie. I am more concerned about repeating of ASP.NET_SessionId (the one I based mu universal persistence). I am not very good in web developing are so I am not sure if I should bother customer to verify why this cookie repeating occurs. Piotr