Share via

Azure App Service Authentication Loop Issue

Jonathan Jasica 20 Reputation points
2025-05-22T03:44:57.07+00:00

My Flask web application running on Azure App Service experiences an authentication loop with Microsoft authentication. After users successfully authenticate with Microsoft OAuth, they are redirected back to the login page instead of being properly authenticated. The server logs show the error message "We found no prior log_in() info from current session" which indicates session persistence problems. Notably, the authentication flow works correctly when running the application locally, suggesting this is an Azure-specific issue.

Technical Details

  1. Environment:
  • Azure App Service
  • Flask web application using Microsoft Identity Platform for authentication
  • Session type: filesystem
  • Python 3.13.2
  1. Symptoms:
  • Authentication flow starts correctly
  • User authenticates with Microsoft successfully
  • Instead of maintaining the authenticated state, users are redirected back to login
  • Debug endpoints show session data is not persisting between requests
  • The ARRAffinitySameSite cookie (Azure's sticky session cookie) is present but doesn't seem to be effectively routing requests
  1. Session Configuration:
  • SESSION_TYPE: "filesystem"
  • SESSION_COOKIE_SECURE: true
  • SESSION_COOKIE_HTTPONLY: true
  • SESSION_COOKIE_SAMESITE: "None"
  • SESSION_COOKIE_DOMAIN: ".itracker.dev"
  • SESSION_FILE_DIR: configured to use a persistent directory in Azure
  1. Authentication Flow:
  • Initial request to /api/auth/sign-in redirects to Microsoft login
  • After Microsoft authentication, user is redirected to our /redirect endpoint
  • At this point, the session from the initial request is lost, causing the "no prior log_in info" error
  • Despite session cookies being present, session data appears empty when requests are processed

Solutions Attempted

  1. Explicitly preserving the ARRAffinitySameSite cookie in responses
  2. Configuring a persistent filesystem session directory
  3. Adding explicit cookie handling middleware

Questions for Microsoft Support

  1. Is there a known issue with session persistence in Azure App Service when using load balancing?
  2. Are there specific recommendations for handling authentication sessions across multiple instances? Is my application running on multiple instances?
  3. Could the ARRAffinitySameSite cookie handling be interfering with our session cookies?
  4. Is there a way to ensure that all requests in an authentication flow are handled by the same server instance?
Azure App Service
Azure App Service

Azure App Service is a service used to create and deploy scalable, mission-critical web apps.

Answer accepted by question author

Bhargavi Naragani 7,940 Reputation points Moderator
2025-05-23T05:05:41.63+00:00

Hi @Jonathan Jasica,

Even though you are on a Basic Plan with only one instance running (as shown in your screenshot), here’s the key insight:

The problem isn’t due to load balancing across instances; it’s due to how Flask handles sessions (local filesystem) and how Azure handles requests during authentication redirects.

Azure may spin down and spin up your app between requests, especially during cold starts, restarts, or heavy resource contention. Since the session is stored in a temp directory, it might get lost even on the same instance. Also, if your app is running in multiple processes (e.g., due to gunicorn/WSGI configurations), the local session file may not be visible across them.

During an OAuth flow, the request typically goes through several redirects (e.g., browser → Microsoft Login → redirect URI). These redirects can trigger a new app worker process or temporarily route through different internal endpoints, even on a single instance. Since Flask stores sessions on local disk by default, and these sessions are not always accessible across all request contexts, the session can appear “lost.”

  • The SESSION_COOKIE_SAMESITE="None" setting requires the cookie to be marked Secure and served over HTTPS which you are doing, but cross-domain or HTTPS redirect behaviors might still interfere.
  • Azure App Service handles authentication and traffic via front-end proxies/load balancers, which can impact local-only session storage.

To make your Flask app stateless and avoid depending on the local file system, you should switch your session backend to Redis. This ensures that the session persists across any number of requests, redirects, and internal routing behaviors.

Install Flask-Session and Redis libraries:

pip install Flask-Session redis

Update your Flask config:

from flask import Flask
from flask_session import Session
import redis
app = Flask(__name__)
app.config['SESSION_TYPE'] = 'redis'
app.config['SESSION_REDIS'] = redis.Redis(host='your-redis-hostname', port=6380, password='your-redis-password', ssl=True)
app.config['SESSION_COOKIE_SECURE'] = True
app.config['SESSION_COOKIE_SAMESITE'] = 'None'
app.config['SESSION_COOKIE_HTTPONLY'] = True
Session(app)

Deploy your app with these settings and configure an Azure Cache for Redis instance.

Reference:
https://learn.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal#session-behavior
https://learn.microsoft.com/en-us/azure/app-service/overview-hosting-plans

If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.

Let me know if you have any further Queries.

Was this answer helpful?

1 person found this answer helpful.
0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.