Oracle Cloud Infrastructure Documentation

Session Persistence

Session persistence is supported on Private Cloud Appliance.

Tip

Cookie-based session persistence is not provided by default. It's available for application load balancers if a defined tag is applied to enable that specific implementation. For more information, see LBaaS Implementation Options.

Session persistence is a method to direct all requests originating from a single logical client to a single backend web server. Backend servers that use caching to improve performance, or to enable log-in sessions or shopping carts, can benefit from session persistence.

You enable session persistence when you create a load balancer or when you create a backend set. You can also edit an existing backend set to enable, disable, or change the session persistence configuration.

The Load Balancing service offers two mutually exclusive cookie-based configurations for enabling session persistence: application cookie stickiness and load balancer cookie stickiness.

Note

IP address-driven session persistence

Some products offer session persistence support without cookies. These products depend on the IP address of the incoming request. ISP proxies and company exit gateways can issue many requests from a single IP address. In this case, a single backend server can be subject to high traffic volumes. Your backend fleet can become overwhelmed, one server at a time, even though effective load balancing is possible.

Another weakness of IP address-driven session persistence is that the originating IP address can change. In this case, session persistence can be lost or the request redirected to the wrong backend server.

Application Cookie Stickiness

To configure application cookie session persistence, you only need to specify a cookie name. By default, traffic from a persistent session client is redirected to a different backend server when the original server is unavailable. This fallback behavior cannot be disabled.

The Load Balancing service activates application cookie session persistence (stickiness) when a backend server sends a Set-Cookie response header containing a recognized cookie name. The cookie name must match the name specified in the backend set configuration. If the configuration specifies a match-all pattern ( "*") any cookie set by the server activates session persistence. Unless a backend server activates session persistence, the service follows the load balancing policy specified when you created the load balancer.

Requirements:

  • The load balancer must operate in HTTP mode to support server side, cookie-driven session persistence.

  • The client computer must accept cookies for load balancing session persistence to work.

How It Works:

The Load Balancing service calculates a hash of the configured cookie and other request parameters, and sends that value to the client in a cookie. The value stored in the cookie enables the service to route subsequent client requests to the correct backend server. If your backend servers change any of the defined cookies, the service recomputes the cookie's value and resends it to the client.

Note

We recommend that you treat cookie data as an opaque entity. Do not use it in your applications.

The backend server can stop application cookie persistence by deleting the session persistence cookie. If you used the match-all pattern, it must delete all cookies. You can delete cookies by sending a Set-Cookie response header with a past expiration date. The Load Balancing service routes subsequent requests using the configured load balancing policy.

Load Balancer Cookie Stickiness

When you configure load balancer cookie stickiness, the load balancer inserts a cookie into the response. The parameters configured within the cookie enable session stickiness. This method is useful when you have applications and web backend services that cannot generate their own cookies.

To configure load balancer cookie session persistence, you specify these parameters and settings:

The cookie name

If you do not specify a cookie name, the default name is X-Oracle-BMC-LBS-Route.

Note

Ensure that the cookie name used at the backend application servers is different from the cookie name used at the load balancer. To minimize the chance of name collision, We recommend that you use a prefix such as X-Oracle-OCI-.

If both a backend server and the load balancer insert cookies with the same name, the client or browser behavior can vary depending on the domain value associated with the cookie. If the name and domain values of the Set-cookie header (generated by a backend server) and the Set-cookie header (generated by the load balancer) are the same, the client or browser treats them as one cookie. The client returns only one of the cookie values in subsequent requests. If both Set-cookie names are the same, but the domain names are different, the client or browser treats them as two different cookies.

The domain in which the cookie is valid

The Set-cookie header inserted by the load balancer contains a domain attribute with the specified value. This attribute has no default value. If you do not specify a value, the load balancer does not insert the domain attribute into the Set-cookie header.

Note

  • RFC 6265 - HTTP State Management Mechanism describes client and browser behavior when the domain attribute is present or not present in the Set-cookie header.

    If the value of the Domain attribute is example.com in the Set-cookie header, the client includes the same cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.abc.example.com. If the Domain attribute is not present, the client returns the cookie only for the domain to which the original request was made.

  • Ensure that this attribute specifies the correct domain value. If the Domain attribute in the Set-cookie header does not include the domain to which the original request was made, the client or browser might reject the cookie. As specified in RFC 6265, the client accepts a cookie with the Domain attribute value example.com or www.example.com sent from www.example.com. It does not accept a cookie with the Domain attribute abc.example.com or www.abc.example.com sent from www.example.com.

Whether the Set-cookie header should contain the Secure attribute

The Secure attribute directs the client or browser to send the cookie only using a secure protocol.

Note

If you set this field to true, you cannot associate the corresponding backend set with an HTTP listener.

Whether the Set-cookie header should contain the HttpOnly attribute

The HttpOnly attribute limits the scope of the cookie to HTTP requests. This attribute directs the client or browser to omit the cookie when providing access to cookies through non-HTTP APIs. For example, it restricts the cookie from JavaScript channels.

These parameters cannot be used:

The amount of time the cookie remains valid

The maximum age attribute (maxAgeInSeconds) of the Set-cookie header inserted by the load balancer must not be specified. It has no default value either. The client or browser typically retains the cookie until the current session ends, as defined by the client.

The URI path in which the cookie is valid

The path attribute of the Set-cookie header inserted by the load balancer must not be specified. The default value ("/") is always used.

Whether to disable fallback for unavailable servers

Refer to the Fallback section below.

Fallback

By default, the Load Balancing service directs traffic from a persistent session client to a different backend server when the original server is unavailable. You cannot configure the backend set to disable this fallback behavior.

Note

The Load Balancing service considers a server marked drain available for existing persisted sessions. New requests that are not part of an existing persisted session are not sent to that server.