HTTP Cookie Persistence

The HTTP cookie mode of persistence enables sticking a client to a server for a session. HTTP cookie persistence can be applied to any virtual service with an attached HTTP application profile. With this persistence method, the Avi Load Balancer SEs insert an HTTP cookie into the first response of a server to a client.

To use HTTP cookie persistence, no configuration changes are required on the back-end servers. HTTP persistence cookies created by the Avi Load Balancer have no impact on existing server cookies or behavior.

Note:

The Avi Load Balancer also supports an App Cookie Persistence mode, that relies on cookies. The app cookie method enables persistence based on information in existing server cookies, rather than inserting a new Avi Load Balancer-created cookie.

To validate if HTTP cookie persistence is working, enable all headers for the virtual service analytics and view logs to see the cookies sent by a client.

See App Cookie Persistence for descriptions of other persistence methods and options.

Cookie Format

The following is an example of an HTTP session-persistence cookie created by Avi Load Balancer.

Set-Cookie: JKQBPMSG=026cc2fffb-b95b-41-dxgObfTEe_IrnYmysot-VOVY1_EEW55HqmENnvC; path=/

The cookie payload contains the back-end server IP address and port.

The payload is encrypted with AES-256. When a client makes a subsequent HTTP request, it includes the cookie, which the SE uses to ensure that the client’s request is directed to the same server.

Configuring Cookie Persistence

Starting with Avi Load Balancer version 21.1.3, the field is_persistent_cookie is introduced, which when set to True, enables persistence in an HTTP cookie. By default, this field is set to False, which implies the cookie is a session cookie by default.

Cookie Persistence Timeout

Persistence profiles allow configuration of a persistence timeout. The persistence timeout sets the maximum amount of time a persistence cookie is valid.

The persistence timeout applies to persistence cookies that are created by Avi Load Balancer for individual client sessions with virtual services that use the persistence profile.

Generally, the client or browser has the responsibility to clear a persistent session cookie, after the session associated with the cookie is terminated, or when the browser is closed. Setting a persistence timeout takes care of cases where the client or browser does not clear the session cookies.

If the persistence timeout is set, the maximum lifetime of any session cookie that is created based on the profile is set to the timeout. In this case, the cookie is valid for a maximum of the configured timeout, beginning when the Avi Load Balancer creates the cookie.

For example, if the persistence timeout is set to 720 minutes, a cookie created based on the profile is valid for a maximum of 12 hours, from the cookie creation time. After the persistence timeout expires, the cookie expires and is no longer valid.

By default, there is no timeout. The cookie sent is a session cookie, which is cleared by the client after the session ends.

The timeout field in a HttpCookiePersistenceProfile is translated to max-age. The max-age attribute represents the number of seconds for the cookie to expire. If the value of max-age is either zero or lesser (negative numbers), the cookie expires instantly.

Note:

If the flag is_persistent_cookie is deactivated, the timeout behavior remains unchanged (the cookie expires according to the non-zero value of the timeout).
If the flag is enabled and the value of timeout is zero, the cookie expires immediately, as the max-age is set to zero.

To configure cookie persistence timeout use Set-Cookie: <cookie-name>=<cookie-value> Max-Age=<number>.

Example:

Set-Cookie: JKQBPMSG=026cc2fffb-b95b-41-dxgObfTEe_IrnYmysot-VOVY1_EEW55HqmENnvC; path=/ ; Max-Age=3600.

Persistence Mirroring

Since clients maintain the cookie and present it when visiting the site, the Avi Load Balancer does not need to store the persistence information or mirror the persistence mappings to other SEs. This allows for greater scale with minimal effort.

Persistence Duration

HTTP cookie persistence leverages a session-based cookie, which is valid until the client maintains an HTTP session with the Avi Load Balancer. If the client closes a browser, the cookie is deleted and the persistence is terminated.

Avi Load Balancer UI Configuration Options

To enable cookie persistence using the UI, navigate to Templates > Profiles > Persistence.

The following table describes the fields needed to configure a persistence profile in the persistence profile editor:


Field Name	Description
Name	Unique name for the persistence profile.
Select New Server When Persistent Server Down	Action to be taken when a server is marked down, such as by a health monitor or when it has reached a connection limit. Indicates whether existing persisted users continue to be sent to the server, or load balanced to a new server. Immediate: The Avi Load Balancer immediately selects a new server to replace the one marked down and switch the persistence entry to the new server. Never: No replacement server will be selected. Persistent entries will be required to expire normally based on the persistence type.
Description	Optional, custom description for the profile.
Type	HTTP Cookie. Changing the type will change the profile to another persistence method.
HTTP Cookie Name	This field comes up blank. By populating this optional field, the cookie will be inserted with the user-chosen custom name. If it is not populated, the Avi Load Balancer auto-generates a random eight-character alphabetic name.
Is Persistence Cookie	Select to enable persistence. If this option is not enabled, the cookie is a session cookie.
Persistence Timeout	The maximum lifetime of any session cookie. The allowed range is 1-14400 minutes. No value or zero indicates no timeout
Always Send	By default, a persistence cookie is sent once at the beginning of a session to the client. Clients then respond with the cookie for each request. However, some web applications, such as those incorporating Java or JavaScript, might not include the cookie in their request if it was not received in the previous response. Enabling Always Send causes the Avi Load Balancer to include the cookie for every response.

The persistence cookie is as shown below:

Note:

Avi Load Balancer supports setting an HTTP-Only flag for the cookie set by it. Setting this attribute helps to prevent the third-party scripts from accessing this cookie if supported by the browser. This feature will activate for any HTTP or terminated HTTPS virtual service.

When you set a cookie with the HTTP-Only flag, it informs the browser that this special cookie must only be accessed by the server. Any attempt to access the cookie from a client-side script is strictly forbidden.