Authentication with a Web farm

Question

Given the idea of a web application (.NET 3.5+)

• Browser
• web app

the authentication using forms will result in a similar line of code

FormsAuthentication.SetAuthCookie(strUsrNm, True)

this is fine in a non load balanced server instance. how does authentication work in a load balanced stuation (no sticky session/infinity), and you cannot store the client IP, users password or login in the browser.

• Browser
• Load balancer
• Web app (on server 1) || Web app (on server 2)

limitations: no database sessions, no AD server (for example: cater for external users)

in short - in a load balanced situation how does the appliation know who the user is if they authenticated against the other server without re-authenticating.

thanks

Answer 1

If you use cookies, all the servers will know about the authenticated user because the authentication ticket stored on a cookie. Any server will receive this cookie and will be able to decrypt the ticket and authenticate the user.

Here you have more details about how forms authentication works.

Also you have to be sure that all servers on the farm share the machine key used to encrypt and decrypt.

If you deploy your application in a Web farm, you must ensure that the configuration files on each server share the same value for validationKey and decryptionKey, which are used for hashing and decryption respectively. This is required because you cannot guarantee which server will handle successive requests.

With manually generated key values, the settings should be similar to the following example.

<machineKey
validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7 AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"
decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F" validation="SHA1" decryption="AES" />

Here more details