Users are being logged out of web site due to round robin load balancer

Question

Our operator has implemented a Round Robin load balancer on our web portal and it seems to be causing some problems I can't get to the bottom of.

I'm able to identify which server we're on and as we navigate around the site we stay on server A. If I leave it for 5 minutes and try another page I'll get pushed to server B, logged out and shown the log in page.

I've got them to make sure the MachineKey in the machine.config is the same on both servers and I've tested locally that the session isn't being used - I can turn the session off completely locally and it still works. I've verified on both servers it is creating an ASPXAUTH cookie on the domain so we should be classed as authenticated on both servers - but keep loosing my authentication every time I change server.

Any ideas on what could be causing the logging out? I'm guessing it's my misunderstanding about how ASPXAUTH works.

Answer 1

Sessions are handled separately from Forms Authentication. There is a good explanation of this here.

The most common reason for Forms Authentication failures on load-balanced environments is lack of synchronization of the MachineKey element. You've stated that you've got the server operators to ensure that the MachineKey is synchronized, but have you verified this yourself in some way? Is this the case on ALL the web servers? From previous dealings with a couple of commercial web hosts, I've found that it is (unfortunately) difficult to take their assurances at face value.

Another thing to check is if the FormsAuthentication configuration (timeout, path, name, etc.) is the same on all of the hosts.

Are the patch levels the same on all of the hosts? You might want to see if the compatibility switch mentioned here is applicable in your situation.

Assuming that the hosting setup is correct, maybe you have initialization code on the page that logs you out if some condition is not fulfilled?

Try to take a look at the server logs and trace the sequence of HTTP requests involved during a failed page request. That might produce a clue.

Edit: This guide to troubleshooting Forms Authentication problems is detailed, and quite helpful: Troubleshooting Forms Authentication