AWS ELB session stickiness issue when multiple AWSELB cookies exist in a single request

Question

I have two web apps - App-A & App-B - running in 2 EC2 instances (both web apps are running in both instances) fronted with an AWS ELB. The session stickiness is enabled using 'Application Generated Cookie Stickiness' and the cookie is set as "JSESSIONID".

Following is the scenario:

1) User first tries to access App-B. The request goes to Node-A and app creates a JSESSIONID with the path "/appb/" and ELB generates an AWSELB cookie for the same path.

Set-cookie headers coming to the browser:

Set-Cookie: JSESSIONID=8629A2C6FA26A99678599B0868511610; Path=/appb/; Secure; HttpOnly
Set-Cookie: AWSELB=B321B10B128ADF1E237E8419717E1CC409A63A5C6B3EA2E2C6CEE56E4F76FCE48DFDA95F1F20ED1ADEED570326993D2492C17C070ED41500F3EDC7EB993ED53188BF73D37301213483075952D1ADAD619C3C890672;PATH=/appb/;SECURE;HTTPONLY

2) Then user tries to access App-A. The request goes to Node-B and app creates a JSESSIONID with the path "/" and ELB generates an AWSELB cookie for the same path.

Set-cookie headers coming to the browser:

Set-Cookie: JSESSIONID=5DA3507629D0CB34DE1B032FA71D1CB2; Path=/; Secure; HttpOnly
Set-Cookie: AWSELB=B321B10B128ADF1E237E8419717E1CC409A63A5C6BC5080020E5701A0FB3756B152B401A70BF4CA755D30D9B06C82E5C1EB2E81E99C160A62D108BDB79947DEF2E2421C11C513C2C7452FA63B46EE8DF693FB5ED03;PATH=/;SECURE;HTTPONLY

3) Now the user tries to access App-B again. The browser sends both JSESSIONID cookies and the 2 AWSELB cookies to it, because App-A's cookies are created for "/". As far as I know, a cookie for the root context should be sent to all the other web contexts in the same domain.

Following is the cookie header going to App-B:

Cookie: JSESSIONID=8629A2C6FA26A99678599B0868511610; AWSELB=B321B10B128ADF1E237E8419717E1CC409A63A5C6B3EA2E2C6CEE56E4F76FCE48DFDA95F1F20ED1ADEED570326993D2492C17C070ED41500F3EDC7EB993ED53188BF73D37301213483075952D1ADAD619C3C890672; JSESSIONID=5DA3507629D0CB34DE1B032FA71D1CB2; AWSELB=B321B10B128ADF1E237E8419717E1CC409A63A5C6BC5080020E5701A0FB3756B152B401A70BF4CA755D30D9B06C82E5C1EB2E81E99C160A62D108BDB79947DEF2E2421C11C513C2C7452FA63B46EE8DF693FB5ED03

In this scenario I'm experiencing session stickiness issues where consecutive browser requests for App-B going to both nodes, rather than only to Node-A.

I'm curious how AWS ELB manages session stickiness in such a situation. Based on what does it select 1 AWSELB cookie out of the 2? Am I missing some configuration in the ELB?

Thanks in advance.

Answer 1

This is simple, by rule and standard practice you need to use an ELB for one application (but nothing stops you to use multiple applications from an ELB).

Solution You need to use 2 ELBs for 2 different apps

• Explanation:

The purpose of ELB is not just to distribute load to different nodes but also to maintain availability and scaling (with high available servers).

To achieve availability you need to provide a health-check strategy which will mark a node Out of service if not available. If you are going to use one ELB for multiple applications , which app's healthcheck would you provide? Which would basically defeat the purpose of High availability.

So you need to end up creating individual ELBs for each App. which would solve your issue of common AWLELB cookie. As both will have different AWSELB cookies talking to different ELBs.

BTW AWS ELBs are not optimized to doing multiple stuff like this. Read more about this in https://www.linkedin.com/pulse/key-benefits-limitation-aws-elb-admin-cloudfoqus

---Amazon ELB sticks request when traffic is generated from Single IP - This point comes as a surprise to many users using Amazon ELB. Amazon ELB behaves a little strangely when incoming traffic is originated from Single or Specific IP ranges, it does not efficiently complete the round robin and sticks the request.----