Search code examples
amazon-web-serviceselastic-load-balancersticky-session

Is the most recent AWSALB cookie required? (AWS ELB Application Load Balancer)


Observations

When using an Amazon ELB Application Load Balancer and working with Sticky Sessions the load balancer inserts a cookie named AWSALB in the first request. To let the next request stick to the same target node (EC2 instance) the cookie should be included in that request. When doing so, it seems that the load balancer inserts a different cookie value in the response to the 2nd request. When including this new cookie value on the 3rd request, we get yet a new cookie value in the response. And so forth…

(This is different from how Sticky Sessions works with the Classic Load Balancer where the cookie is named AWSELB and retains its value until discarded by the client or the load balancer.)

The reason the AWSALB cookie changes value all the time seems to be (as stated by the docs):

The name of the cookie is AWSALB. The contents of these cookies are encrypted using a rotating key. You cannot decrypt or modify load balancer-generated cookies.

So even though the contents of the cookie might be the same, we cannot tell.

Question

The question is whether a request to the load balancer must always include the most recently received value of the AWSALB cookie or if it ok to send some previously received value (from the same sticky session, of course).

If this is a requirement the AWS ELB Application Load Balancer would not be able to serve a client that performs multiple parallel requests (after having received the first AWSALB cookie) but only clients that performs all requests in a sequential fashion (one at a time).

Can anybody shed some light on this?


Solution

  • After waiting for a reply here, I raised a support case with Amazon and got this reply:

    I understand that you would like to confirm if it is required to provide the latest stickiness cookie for every request.

    You are right in noting that the behaviour is different between CLB and ALB. Due to the different functionality of Application Load Balancer to direct traffic to multiple Target Groups, each having its own stickiness, ALB encrypts the information needed to direct traffic and provides new cookie on each request. This ensures that different times for different groups are always respected correctly.

    Clients can always obtain the latest cookie, as internally the information would ensure correct routing to the same target. If you want to reuse single cookie it is also possible, ALB will respect it and correctly route the traffic as per the stickiness in the cookie. I would not recommend using the same cookie for periods longer than 60 seconds though. This is to ensure that in case of target becoming unavailable you can acquire new cookie with new stickiness information that would route you to new target.