HTTP Cookie Persistence

The HTTP cookie mode of persistence enables sticking a client to a server for the duration of their session. HTTP cookie persistence may be applied to any virtual service with an attached HTTP application profile. With this persistence method, Avi Vantage Service Engines (SEs) will insert an HTTP cookie into a server’s first response to a client.

To use HTTP cookie persistence, no configuration changes are required on the back-end servers. HTTP persistence cookies created by Avi Vantage have no impact on existing server cookies or behavior.

Note: Avi Vantage also has an “app cookie” persistence mode, which relies on cookies as well. The app cookie method performs persistence based on information in existing server cookies, rather than inserting a Avi Vantage-created cookie.

To validate if HTTP cookie persistence is working, enable all headers for the virtual service analytics.  Then view the logs to see the cookies sent by a client.

Refer to Overview of Server Persistence for descriptions of other persistence methods and options.

The following is an example of an HTTP session-persistence cookie created by Avi Vantage.

Set-Cookie: JKQBPMSG=026cc2fffb-b95b-41-dxgObfTEe_IrnYmysot-VOVY1_EEW55HqmENnvC; path=/

The cookie payload contains the back-end server IP address and port.

The payload is encrypted with AES-256. When a client makes a subsequent HTTP request, it includes the cookie, which the SE uses to ensure the client’s request is directed to the same server.

Starting with NSX Advanced Load Balancer version 21.1.3, the field is_persistent_cookie is introduced, which when set to True, enables persistence in a HTTP cookie. By default this field is set to False, which implies the cookie is a session cookie by default.

Persistence profiles allow configuration of a persistence timeout. The persistence timeout sets the maximum amount of time a persistence cookie is valid.

The persistence timeout applies to persistence cookies that are created by Avi Vantage for individual client sessions with virtual services that use the persistence profile.

Generally, the client or browser is responsible to clear a persistent session cookie after the session the cookie was for is terminated, or when the browser is closed. Setting a persistence timeout takes care of cases where the client or browser does not clear the session cookies.

If the persistence timeout is set, the maximum lifetime of any session cookie that is created based on the profile is set to the timeout. In this case, the cookie is valid for a maximum of the configured timeout, beginning when Avi Vantage creates the cookie.

For example, if the persistence timeout is set to 720 minutes, a cookie created based on the profile is valid for a maximum of 12 hours, beginning as soon as the cookie is created. After the persistence timeout expires, the cookie expires and is no longer valid.

By default there is no timeout and the cookie sent is a session cookie, which is cleared by the client after the session ends.

Starting with NSX Advanced Load Balancer version 21.1.3,

  • The timeout field in a HttpCookiePersistenceProfile is translated to max-age
    The max-age attribute represents the number of seconds for the cookie to expire.
    If the value of max-age is either zero or lesser (negative numbers), then the cookie expires instantly.

Notes:

  • If the flag is_persistent_cookie is disabled , the timeout behavior remains unchanged (the cookie is expired according to the non-zero value of the timeout)
  • If the flag is enabled and the value of timeout is zero, the cookie expires immediately, since the max-age is set to zero.

To configure cookie persistence timeout use Set-Cookie: <cookie-name>=<cookie-value> Max-Age=<number>

For example, Set-Cookie: JKQBPMSG=026cc2fffb-b95b-41-dxgObfTEe_IrnYmysot-VOVY1_EEW55HqmENnvC; path=/ ; Max-Age=3600.

Persistence Mirroring

Since clients maintain the cookie and present it when visiting the site, Avi Vantage does not need to store the persistence information or mirror the persistence mappings to other SEs, allowing for greater scale with minimal effort.

Persistence Duration

HTTP cookie persistence leverages a session-based cookie, which is valid as long as the client maintains an HTTP session with Avi Vantage. If the client closes a browser, the cookie is deleted and the persistence is finished.

To enable cookie persistence using the UI,

  1. From the Avi UI, navigate to Templates > Profiles > Persistence.

  2. Enter a unique Name for the profile.

  3. Set Select New Server When Persistent Server Down as Immediate or Never to define the behavior of the persistent server when the server is marked down, such as by a health monitor or when it has reached a connection limit.
    • Immediate: Avi Vantage will immediately select a new server to replace the one marked down and switch the persistence entry to the new server.
    • Never: No replacement server will be selected. Persistent entries will be required to expire normally based upon the persistence type.
  4. Set the Type as HTTP. Changing the type will change the profile to another persistence method.

  5. Enter HTTP Cookie Name to insert the cookie in a user-chosen custom name. If left blank, Avi auto-generate a random eight-character alphabetic name.

  6. Click Is Persistence Cookie to enable persistence. If this option is not enabled, the cookie is a session cookie.

  7. By default, a persistence cookie is sent once at the beginning of a session to the client. Clients will then respond back with the cookie with each request.  However, some web applications, such as those incorporating Java or Javascript, may not include the cookie in their request if it was not received in the previous response.  Enabling Always Send causes Avi Vantage to include the cookie on every response.

  8. Enter Persistence Timeout in minutes to define the maximum lifetime of any session cookie.

The persistence cookie is as shown below:

HTTP Cookie Persistence

 Note: Starting with Avi Vantage version 21.1.1, Avi Vantage supports setting an HTTP-Only flag for the cookie set by Avi. Setting this attribute helps to prevent the third-party scripts from accessing this cookie if supported by the browser. This feature will activate for any HTTP or terminated HTTPS virtual service.

When you set a cookie with the HTTP-Only flag, it informs the browser that this special cookie should only be accessed by the server. Any try to access the cookie from client side script is strictly forbidden.

For more details on enabling HTTP-Only attribute, refer to SSL Everywhere guide.