My question is as follows:
A site is hosted on multiple web servers, all servers refer to same domain.
Sometimes, users login to a central server, but get re-directed to other web servers.
Since domain is the same, cookies will be sent from browser to the new servers.
But server side (uses JSPs) session related data will nto be present at the second server.
So, will the second server accept this as an existing session, or, will it deem that there is no session?
For my own reasons, I had to stick to single session, multiple servers approach. This is basically for a game like evony.com, with multiple realms hosted on multiple machines possibly. Login happens once, but same session will be used in multiple server machines. Please let me know.
Related
I have an ASP.NET Application which runs an multiple Web Servers in Azure (these are all virtual machines and not Azure Websites).
If a user logs himself in (currently forms authentication) everything is fine but if he clicks on a link he might get redirected to another server in the server group where the session cookie is not set.
How could that be solved in azure so that a user is logged in on all machines or is there a way to "bind" a user to a specific server so that he won't jump between the servers?
Thanks for your help!
metabolic
You have to change the session state to be saved in an external persistence solution, like SQL Server or Redis, instead of InProc (which means in memory) which is the setting you have now. The steps to do that are described here for SQL Server. Then if someone ends up in a different server, he'll still be authenticated as the session will be loaded from the persistence solution.
In my asp.net website, I am working with three servers with three different providers. the DNS points to one. When users login, I want to use a lookup table to find the proper server where the user info resides and transfer the users there. The main restrictions is:
I cannot use a different sub domain or url for each server. (the user would see a www.example.com/userData in all cases)
I understand that I cannot use server.transfer because they have different httpcontext. Also this is not a load balancing issue even though each server has its own IIS and SQL server. The location of each user is determined beforehand.
What are my options to do so?
I have 2 web sites running on the same server. Web1 needs to transfer data to web2 (same web server, different webs), passing sensitive data from one to the next. The browser will be using https. Are cookies possible/advisable here? My initial thoughts where to encrypt the data and pass through the querystring, both sites using a shared key. Perhaps also pass an encrypted expiration date to prevent the url from being reused in history if it's on a shared computer.
Figuring it's https and encrypted, initially it sounds ok. However, my gut tells me its unsecure. Another option is a session server but that seems a bit overkill for what I'm after.
What is the best way to securely transfer a single piece of data from 1 site to the next on the same web and do it relatively simply?
You can just have one site do an http post to the other site server-side. This information would never go through the browser and wouldn't even have to be encrypted (although that certainly wouldn't hurt).
You could even write data to the database and then redirect the user to a page on the second site that would read it (if the two sites can both access the database).
If I'm reading this right, you have two different web sites running on the same web server that need to share data securely. Correct?
If that's the case, don't send the data in the browser. If the sites are on the same server, you can have them communicate directly. Server-side communication within a closed server will be more secure than any system you can deploy to the client's browser.
You should consider implementing a web service on your server to handle the request. That way each website only needs to know about the web service and not about one another.
Right now, my site is served by a single server, but I anticipate the need to increase my server capacity, soon. Instead of splitting my websites up among multiple servers and having to manage sessions across servers, I want to have multiple web servers all with the same code base on them and use router based round robin load sharing to distribute users to each server. And once a user hits a web server, have him stay with that web server throughout his/her whole session. To my knowledge, I don't need to have any special asp.net code to facilitate this.
Does anyone have any caveats or comments for this approach?
What you are talking about is called sticky sessions or session affinity. If your router supports this, then you are golden.
The only caviat is that the load balancing won't be perfect. If you have a few high-load users who all end up randomly on the same server, they will staty there until the sessions end.
I have implemented this kind of load balancing where I work, and it requires no special asp.net code to implement.
Most (perhap all) load balancers do have the ability to enforce "sticky" sessions where users on the same IP are directed to the same web server on every request. There is no code change required to accomplish this. There are two caveats that come to mind:
Using sticky sessions will mean that the traffic load will not be distributed as evenly as it would if you were not using sticky sessions. However, the distributionshould be"even enough" IMO.
There will be a very small percentage of users using proxy servers that may come in on different IPs on different requests. These users may experience "odd" behavior as they get passed to different servers.
Another characteristic of this configuration is that if one your servers go down the sessions of the users on that server will lose their session as well. I think this is one of the most commonly used setup since it does not require any development effort if the router supports sticky session or session affinity.
As others have mentioned, you should be able to turn on Sticky Sessions on your load balancer, that should take care of most of the "stay on one server" issues for you.
However you will want to ensure you have put settings in place to cope with a user landing on the wrong server mid session - Sticky Sessions are usually based on IP address, and users IPs can change mid session if you're unlucky, or a server may go offline, and the user will be directed to the other server.
You should make sure that your MachineKeys are the same across all servers - this will ensure that you can decrypt the viewstate correctly on all servers.
If you own the servers, you can do this in the machine.config, otherwise you can set it at the application level in the web.config, more details can be found in this how to:
Configure MachineKey in ASP.NET 2.0
There are some slight differences if you're running on IIS 7.5 - Tess Ferrandez has more details in a recent post "Forms authentication fails after installing IIS 7.5".
The other thing you'll probably want to do is move your sessionState from InProc to either Sql or StateServer.
How can i preserve session between domains? They all belong to the same asp.net-application.
I don't think you can do this without a custom implementation. Your session id is stored in a cookie in the browser and it is sent back to the server with each request. That's how the server knows who you are and which session object is yours. When you switch domains, the browser no longer sends this cookie (cookies are sent per domain, so the server will never see the original session cookie and therefore generate a new session cookie for the new domain).
I don't know the architecture of your app related to when the user goes from one domain to the other, but you may just be able to send a common cookie to the browser each time the user accesses each domain for the first time and use this to correlate an in-memory object on the server.
On the assumption that you have the multiple domains specified in the host header for the website that is hosting the application and the application resides in an application pool that is not using any form of web garden it will be served by a single worker process w3wp.exe. As long as your web.config has not specified the session to be stored outproc rather than inproc then session data will be available to all code residing within your application.