When using load balancers if there is an issue with session persistence there will often be a constant redirect flow (http 302). Below is a diagram showing an example environment with 2 load balancers. If the same cookie name is used for both the front-end and back-end load balancers, the load balancers will not be able to tell which cookie belongs to which load balancer.
- Okta Access Gateway (OAG)
- Front End LB (Load Balancer)
- App LB (Load Balancer)
- Application Load Balancers
- Cookie session persistence
When cookies are used with load balancers, they are returned to the client and can be viewed in developer tools. Multiple cookies with identical names but distinct values will appear in the browser if the load balancers utilize the same cookie. When cookies are sent with the request, the load balancer will see them, and if they do not match, it will create a new session and cookie, causing the system to constantly rotate between nodes.
The load balancer cookies should have different names for each load balancer. To validate this, check the cookie names that are shown in the HAR. If the cookie is encrypted, for testing purposes, make it in clear text so it is easy to trace. The cookies are visible in the response after opening developer tools and accessing the resource.
