ARRAffinity cookie lost due to Cross Domain url on Azure Web Apps

Question

I am migrating one statefull application on the Azure web app. For this migration I have configured an Azure Web App with the cookie-based affinity

Issue:

• Sessions are lost due due to randomly distribution of requests by azure web app with multiple instances.

Expected Behavior:

• Since its an stateful application we want to preserve the session data by redirecting requests to one instance.

Overview:

In case of statefull applications Azure does provide affinity cookie to preserve the session details. Azure uses the domain attribute in the ARRAffinity cookie which is causing the issue. We want to remove the domain attribute from the ARRAffinity cookie.

for example:

lets say our azrure web app is configured using custom domain like abc.domainone.com

Now, our application is rendered on the 3rd party webapp which has the domain xyz.domaintwo.com.

While accessing the azure webapp via 3rd party webapp (ie xyz.domaintwo.com), Azure adds the ARRAffinity cookie with domain attribute as abc.domainone.com.

Due to this different domain names in cookie and 3rd party web url, browser is not able to use the ARRAffinity cookie.

Set-Cookie: ARRAffinity=98593782uw92yji3nf0d7dc;Path=/;HttpOnly;Secure;Domain=abc.domainone.com
Set-Cookie: ARRAffinitySameSite=98593782uw92yji3nf0d7dc;Path=/;HttpOnly;SameSite=None;Secure;Domain=abc.domainone.com

Answer 1

Did some testing, put a application gateway in front of the web app with rewrite rule "could" work, with a much small restriction:

The website's landing/index page should not setup another cookie.

Reason is App Gateway 's rewrite rule will only check the first 'Set-Cookie' and if there is another cookie ahead of ARRAffinity, the rewrite rule will not work.

AGW rewrite rule:

Response header:

condition:

ARRAffinity(SameSite)*=([A-Za-z0-9]+);(.+)$

rewrite cookie:

ARRAffinity={http_resp_Set-Cookie_2};Path=/

Answer 2

Ravindra, Thanks for the detailed question. As I understand you have tried a few things to get this remedied.

Based on the issue description and my understanding of your scenario - You may check to see if these approaches work and test:

With slight modification in your code, looks like both the cookies are set: Try removing the domain attribute from the ARRAffinity cookie. You can do this by setting the "ARRAffinitySameSite" cookie instead of the "ARRAffinity" cookie. Typically, the "ARRAffinitySameSite" cookie is the same as the "ARRAffinity" cookie, but without the domain attribute.

Here's an example of how to set the "ARRAffinitySameSite" cookie in your response headers:

Set-Cookie: ARRAffinitySameSite=98593782uw92yji3nf0d7dc;Path=/;HttpOnly;SameSite=None;Secure

Note that we've removed the "Domain" attribute from the cookie, and added the "SameSite" attribute with a value of "None". This tells the browser that the cookie can be sent with cross-site requests.

Or

If your requirement fits, to remove the domain attribute from the ARRAffinity cookie, you may use the following code in your Azure Web App:

<system.webServer>
  <rewrite>
    <outboundRules>
      <rule name="Remove ARR cookie domain">
        <match serverVariable="RESPONSE_Set_Cookie" pattern="ARRAffinity=.*" />
        <action type="Rewrite" value="{R:0}; path=/; HttpOnly; SameSite=None; Secure" />
      </rule>
    </outboundRules>
  </rewrite>
</system.webServer>

This code will remove the domain attribute from the ARRAffinity cookie and set it to the current domain.

Additionally info:

Session lost due to ARRAffinity Cookies
(The article from one of my colleague )

App Service scale out requires stateless apps?
(One of my previous discussion thread)

I hope this helps! Kindly let us know if you have any other questions.

Answer 3

ajkuma,

I am getting the same issue and trying to find a solution now.

1. Application Gateway rewrite to remove domain from cookie. This only works if the application doesn't have any other cookies. https://learn.microsoft.com/en-us/azure/application-gateway/rewrite-http-headers-url mentioned the limitation "If a response has more than one header with the same name, then rewriting the value of one of those headers will result in dropping the other headers in the response. This can usually happen with Set-Cookie header since you can have more than one Set-Cookie header in a response.".
2. Web App rewrite. I tried it with a DotNet 6 test web app, uploaded a web.config to wwwroot:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <location path="." inheritInChildApplications="false">
    <system.webServer>
	  <rewrite>
		<outboundRules>
		  <rule name="Remove ARR cookie domain">
			<match serverVariable="RESPONSE_Set_Cookie" pattern="ARRAffinity=.*" />
			<action type="Rewrite" value="{R:0}; path=/; HttpOnly; SameSite=None; Secure" />
		  </rule>
		</outboundRules>
	  </rewrite>
    </system.webServer>
  </location>
</configuration>

But it doesn't seem work:

curl -I https://mytestwebsite.azurewebsites.net HTTP/1.1 200 OK Content-Length: 3269
Content-Type: text/html
Date: Thu, 21 Dec 2023 12:13:54 GMT
Server: Microsoft-IIS/10.0
Accept-Ranges: bytes
ETag: "5697a1e5707fd91:0"
Last-Modified: Fri, 05 May 2023 16:44:44 GMT
Set-Cookie: ARRAffinity=a6e48b9e9d2653435be7b61998d8624b44115214104213d6c8b8c526cc56dc70;Path=/;HttpOnly;Secure;Domain=mytestwebsite.azurewebsites.net
Set-Cookie: ARRAffinitySameSite=a6e48b9e9d2653435be7b61998d8624b44115214104213d6c8b8c526cc56dc70;Path=/;HttpOnly;SameSite=None;Secure;Domain=mytestwebsite.azurewebsites.net X-Powered-By: ASP.NET

Do you see any reason why my web.config doesn't work?

Thanks.