Load Balancer Session Persistence

Application Cookie Stickiness

To configure application cookie session persistence, you specify a cookie name and decide whether to disable fallback for unavailable servers.

The Load Balancer service activates application cookie session persistence (stickiness) when a backend server sends a Set-Cookie response header containing a recognized cookie name. The cookie name must match the name specified in the backend set configuration. If the configuration specifies a match-all pattern, '*', any cookie set by the server activates session persistence. Unless a backend server activates session persistence, the service follows the load balancing policy specified when you created the load balancer.

Requirements:

• Your load balancer must operate in HTTP mode to support server side, cookie-driven session persistence.

• The client computer must accept cookies for Load Balancer session persistence feature to work.

How It Works

The Load Balancer service calculates a hash of the configured cookie and other request parameters, and sends that value to the client in a cookie. The value stored in the cookie enables the service to route subsequent client requests to the correct backend server. If your backend servers change any of the defined cookies, the service recomputes the cookie's value and resends it to the client.

The backend server can stop application cookie persistence by deleting the session persistence cookie. If you used the match-all pattern, it must delete all cookies. You can delete cookies by sending a Set-Cookie response header with a past expiration date. The Load Balancer service routes subsequent requests using the configured load balancing policy.

Load Balancer Cookie Stickiness

When you configure load balancer cookie stickiness, the load balancer inserts a cookie into the response. The parameters configured within the cookie enable session stickiness. This method is useful when you have applications and web backend services that cannot generate their own cookies.

To configure load balancer cookie session persistence, you specify:

• The cookie name.

  If you do not specify a cookie name, the default name is X-Oracle-BMC-LBS-Route.

  Note
  
  

  Ensure that the cookie name used at the backend application servers is different from the cookie name used at the load balancer. To minimize the chance of name collision, Oracle recommends that you use a prefix such as X-Oracle-OCI-.

  If both a backend server and the load balancer insert cookies with the same name, the client or browser behavior can vary depending on the domain value associated with the cookie. If the name and domain values of the Set-cookie header (generated by a backend server) and the Set-cookie header (generated by the load balancer) are the same, the client or browser treats them as one cookie. The client returns only one of the cookie values in subsequent requests. If both Set-cookie names are the same, but the domain names are different, the client or browser treats them as two different cookies.

• The domain in which the cookie is valid. The Set-cookie header inserted by the load balancer contains a domain attribute with the specified value.

  This attribute has no default value. If you do not specify a value, the load balancer does not insert the domain attribute into the Set-cookie header.

  Note
  
  

  • RFC 6265 - HTTP State Management Mechanism describes client and browser behavior when the domain attribute is present or not present in the Set-cookie header.

    If the value of the Domain attribute is example.com in the Set-cookie header, the client includes the same cookie in the Cookie header when making HTTP requests to example.com, www.example.com, and www.abc.example.com. If the Domain attribute is not present, the client returns the cookie only for the domain to which the original request was made.

  • Ensure that this attribute specifies the correct domain value. If the Domain attribute in the Set-cookie header does not include the domain to which the original request was made, the client or browser might reject the cookie. As specified in RFC 6265, the client accepts a cookie with the Domain attribute value example.com or www.example.com sent from www.example.com. It does not accept a cookie with the Domain attribute abc.example.com or www.abc.example.com sent from www.example.com.

   

• The URI path in which the cookie is valid. The Set-cookie header inserted by the load balancer contains a Path attribute with the specified value.

  Clients include the cookie in an HTTP request only if the path portion of the request-uri matches, or is a subdirectory of, the cookie's Path attribute.

  The default value is `/`.

• The amount of time the cookie remains valid. The Set-cookie header inserted by the load balancer contains a Max-Age attribute with the specified value.

  The specified value must be at least one second. No default value for this attribute exists. If you do not specify a value, the load balancer does not include the Max-Age attribute in the Set-cookie header. Usually, the client or browser retains the cookie until the current session ends, as defined by the client.

• Whether the Set-cookie header should contain the Secure attribute. The Secure attribute directs the client or browser to send the cookie only using a secure protocol.

  Note
  
  

  If you set this field to true, you cannot associate the corresponding backend set with an HTTP listener.

• Whether the Set-cookie header should contain the HttpOnly attribute. The HttpOnly attribute limits the scope of the cookie to HTTP requests. This attribute directs the client or browser to omit the cookie when providing access to cookies through non-HTTP APIs. For example, it restricts the cookie from JavaScript channels.

• Whether to disable fallback for unavailable servers.