Search code examples
asp.netauthenticationservicestacksession-stateservicestack-auth

Is it possible to enable ServiceStack auth across a webfarm without a shared session state storage?


With ASP.NET Forms Authentication, its possible to setup all the servers in a webfarm to share the same machine key for encryption of authentication tickets, meaning if you can get by without requiring session state in your application scale out to a web farm is easy.

i.e., http://www.iambacon.co.uk/blog/getting-asp-net-authentication-to-work-on-a-web-farm

Is there a method to do accomplish this disconnected setup using ServiceStack Authentication, or does implementation require a shared session state to be persisted somewhere accessible by all web servers? I'm assuming shared state is required, but if there's a way around it, would interested to learn more... (we load-balance globally, so shared state is a bit more of a challenge)


Solution

  • ServiceStack Sessions are essentially the User Session DTO's serialized in the registered Caching providers. All Caching providers except for MemoryCacheClient persists to a distributed data store so they're naturally load balanced by just using the same configuration.

    The Auth Providers that implement IAuthWithRequest can authenticate on-the-fly and access protected services without prior authentication, namely:

    • BasicAuthProvider
    • DigestAuthProvider
    • AspNetWindowsAuthProvider

    But overall this would be worse performance since it has to authenticate on each request instead of a single cache hit to access the users session.