Session Persistence (Sticky Sessions)

When a user visits your application for the first time, they're just an anonymous HTTP request arriving at your load balancer. But once they've been routed to a specific backend server, how do you ensure all their subsequent requests return to that same server?

The answer, in most production systems, is a small piece of data traveling with every request: the persistence cookie.

Cookies—originally designed by Netscape in 1994 for shopping cart persistence (ironically enough)—have become the most reliable and widely-used mechanism for session affinity in load-balanced environments. A persistence cookie carries just enough information for the load balancer to route requests consistently, without requiring any client-side cooperation beyond the browser's built-in cookie handling.

This page explores cookie-based persistence in exhaustive depth: how load balancers inject and read these cookies, the security implications you must address, configuration options across major platforms, and the subtle edge cases that can break your implementation in production.

Cookie-based persistence operates through a simple but elegant mechanism. The load balancer acts as an intermediary, injecting tracking information into the HTTP response and reading it from subsequent requests.

The Complete Flow:

Step-by-Step Breakdown:

1. Initial Request Arrives:

• Client sends HTTP request without persistence cookie
• Load balancer applies normal selection algorithm (round-robin, least-connections, etc.)
• Selected server processes request and generates response

2. Cookie Injection (Response Path):

• Load balancer intercepts the response before sending to client
• Injects Set-Cookie header with persistence information
• Cookie value encodes enough information to identify the server

3. Subsequent Requests:

• Browser automatically includes cookie in requests to same domain
• Load balancer reads cookie, extracts server identifier
• Routes directly to identified server (bypassing selection algorithm)

4. Cookie Lifecycle:

• Cookie persists according to its attributes (session vs. persistent)
• Expired or missing cookies fall back to normal selection
• Server pool changes may invalidate stale cookies

What exactly goes inside the persistence cookie? Different load balancers take different approaches, each with tradeoffs:

Strategy 1: Server Identifier (Direct Reference)

The cookie contains a direct identifier for the backend server:

Set-Cookie: SERVERID=backend_server_1_192.168.1.10; Path=/

Pros: Simple, easy to debug, human-readable Cons: Exposes internal infrastructure, less secure, breaks if server names change

Strategy 2: Hashed/Encrypted Identifier

Server identity is encrypted or hashed:

Set-Cookie: SERVERID=a8f9d2e1c3b4; Path=/

Pros: Hides internal details, can include expiry/signature Cons: More complex, requires shared secret, harder to debug

Strategy 3: Pool Index

Cookie contains server's position in the pool:

Set-Cookie: SERVERID=3; Path=/

Pros: Minimal data, easy rotation Cons: Breaks if pool order changes, limited metadata

Strategy 4: Session + Server Binding

Associates a random session ID with a server in the LB's memory:

Set-Cookie: AWSALB=abc123def456; Path=/

The LB maintains internal mapping: abc123def456 → backend_server_3

Pros: No internal exposure, can persist mapping across server changes Cons: Requires LB state, memory overhead, scaling considerations

Production Recommendation:

Modern load balancers typically use session binding (like AWS ALB's AWSALB cookie) or encrypted identifiers. Direct server references should be avoided in production due to security exposure.

Example Cookie Values from Real Load Balancers:

HTTP cookies support multiple attributes that control their behavior. Each attribute has implications for session persistence:

1. Domain Attribute:

Set-Cookie: SERVERID=abc; Domain=.example.com

Controls which domains receive the cookie:

• Omitting Domain: Cookie sent only to exact host that set it
• Domain=.example.com: Cookie sent to example.com and all subdomains

Persistence Implication: If your load balancer serves multiple subdomains (api.example.com, www.example.com) from the same pool, set Domain appropriately so persistence works across subdomains.

2. Path Attribute:

Set-Cookie: SERVERID=abc; Path=/app

Restricts cookie to specific URL paths:

• Path=/: Cookie sent for all paths (most common)
• Path=/app: Cookie sent only for /app/* routes

Persistence Implication: Almost always use Path=/ for persistence cookies. Path-restricted cookies can break persistence when users navigate between app sections.

3. Expires / Max-Age:

Set-Cookie: SERVERID=abc; Max-Age=3600
Set-Cookie: SERVERID=abc; Expires=Wed, 09 Jun 2025 10:18:14 GMT

• Omitting both: Session cookie (deleted when browser closes)
• Max-Age=3600: Expires in 3600 seconds
• Expires=<date>: Expires at specific date/time

Persistence Implication: Session cookies are appropriate when persistence should match browser sessions. Persistent cookies with Max-Age survive browser restarts—useful for keeping cart contents but potentially surprising for security-sensitive sessions.

4. Secure Attribute:

Set-Cookie: SERVERID=abc; Secure

Cookie only sent over HTTPS connections.

Persistence Implication: Always use Secure for production. Without it, persistence cookies leak to unencrypted connections, exposing server identities and enabling session hijacking.

5. HttpOnly Attribute:

Set-Cookie: SERVERID=abc; HttpOnly

Cookie inaccessible to JavaScript (document.cookie).

Persistence Implication: Always use HttpOnly for persistence cookies. There's no legitimate reason for client JavaScript to access server routing cookies, and HttpOnly prevents XSS from exfiltrating them.

6. SameSite Attribute:

Set-Cookie: SERVERID=abc; SameSite=Lax
Set-Cookie: SERVERID=abc; SameSite=Strict
Set-Cookie: SERVERID=abc; SameSite=None; Secure

Controls cross-site cookie behavior:

• Strict: Cookie only sent for same-site requests
• Lax: Sent for same-site + top-level GET navigations (default in modern browsers)
• None + Secure: Sent for cross-site requests (requires Secure)

Persistence Implication: Lax is usually appropriate. Strict can break persistence when users arrive via external links. None is needed for cross-origin API scenarios but increases security exposure.

Let's examine cookie-based persistence configuration across major load balancing platforms. Understanding these implementations helps you make informed choices and troubleshoot issues.

Cookie-based persistence introduces security surface area that must be carefully managed. Let's examine the threat model and mitigations:

Cookie-based persistence can fail in subtle ways. Here are common issues and their resolutions:

Problem 1: Persistence Not Working at All

Symptoms: Users bounce between servers despite cookie configuration.

Potential Causes:

• Cookie domain mismatch (cookie set for api.example.com, user on www.example.com)
• Browser rejecting third-party cookies (if using iframe embed)
• Missing SameSite/Secure for modern browsers
• Load balancer not configured correctly for all routes
• Health check failures causing server rotation

Debugging Steps:

1. Check browser DevTools → Application → Cookies
2. Verify Set-Cookie header in network response
3. Confirm cookie sent with subsequent requests
4. Check load balancer logs for routing decisions

Problem 2: Cookie Works But Persistence Is Intermittent

Symptoms: Sometimes requests hit the right server, sometimes not.

Potential Causes:

• Multiple load balancers without shared state
• CDN stripping cookies on certain paths
• Some requests (static assets) bypass persistence
• Cookie expiring too quickly
• Browser incognito mode not persisting cookies

Debugging Steps:

1. Trace full request path (CDN → LB → origin)
2. Check if all request types include cookies
3. Verify cookie TTL matches expected session length

Problem 3: Cookie Conflicts

Symptoms: Application behaves erratically, multiple cookies present.

Potential Causes:

• Multiple load balancers setting same-named cookie
• Application and LB both setting persistence cookies
• Cookie scope (domain/path) overlaps incorrectly
• Migration leaving old cookies in place

Debugging Steps:

1. List all cookies for domain (DevTools)
2. Identify duplicate/conflicting names
3. Trace which component sets each cookie
4. Clear cookies and test clean session

Problem 4: Server Pool Changes Break Sessions

Symptoms: After deployments or scaling, users lose their sessions.

Potential Causes:

• Cookie references server no longer in pool
• Server index changed when pool resized
• Encrypted cookie uses key that rotated
• New servers have different identifiers

Mitigation Strategies:

1. Use session-binding (LB maintains mapping table)
2. Graceful draining before removing servers
3. Consistent server identifiers across deployments
4. Cookie fallback to normal load balancing on invalid value

Beyond basic cookie persistence, advanced patterns address specific architectural needs:

Pattern 1: Cookie Chaining (Multi-Tier Persistence)

In multi-tier architectures, you might need persistence at multiple levels:

Client → CDN → Global LB → Regional LB → Application Server

Each tier can set its own persistence cookie:

• CDN: Route to consistent edge location
• Global LB: Route to consistent region
• Regional LB: Route to consistent server

Implementation: Use distinct cookie names at each tier (X-Edge, X-Region, X-Server).

Pattern 2: Weighted Persistence (A/B Testing)

During gradual rollouts, you want users to stick to their assigned variant:

1. First request: LB assigns to variant (90% old, 10% new)
2. Cookie encodes variant assignment
3. Subsequent requests route to same variant

Implementation: Cookie contains both variant and server within variant.

Pattern 3: Persistence with Fallback Pools

When primary servers are unavailable, route to backup pool while maintaining eventual consistency:

1. Normal: Route to primary (Cookie: primary_server1)
2. Primary fails: Route to backup (Cookie updated: backup_server5)
3. Primary recovers: Optionally migrate back

Implementation: Time-bounded cookies allow natural migration back.

Pattern 4: Shard-Aware Persistence

When data is sharded across servers, route users to the shard holding their data:

1. First request: LB examines user ID header
2. Hash user ID to determine shard
3. Set cookie encoding shard assignment
4. Subsequent requests route via cookie

Implementation: Cookie contains shard identifier, not server. LB maps shard to current server.

Pattern 5: Canary Cookie Persistence

For canary deployments, selected users get routed to canary servers:

1. First request: LB selects small percentage for canary
2. Canary users get special cookie (CANARY=true)
3. All subsequent requests route to canary pool
4. Non-canary users never see canary

Implementation: Two-stage routing—first check canary cookie, then normal persistence.

Pattern 6: Signed Cookie with Metadata

Embed metadata in cookies for advanced routing decisions:

Cookie: STICKY=<base64(server|timestamp|signature)>

The timestamp enables:

• Automatic cookie expiry
• Forced refresh after configurable period
• Migration windows during deployments

We've thoroughly explored cookie-based session persistence, from fundamental mechanics to advanced patterns. Let's consolidate:

What's Next:

Cookies are the most common persistence mechanism, but not the only one. Next, we'll explore IP-based persistence—an approach that works without cookies but comes with significant limitations. Understanding both methods helps you choose the right approach for your specific requirements.