How to handle sessions in a web farm with no cookies??

Posted on 2007-09-28
Last Modified: 2013-11-07
I'm trying to figure the best way to handle sessions in an e-Commerce web farm environment. What my setup is that I have a website that connects to a remote ODBC server to grab data for the website. The shopping cart generates server side session files, no client cookies at all are being used. What is the best way to handle sessions in a web farm without using cookies at all? Is it possible to handle cookies with a database? In my server session files, I keep a lot of data on my users, so I can't image putting all this info into a database since there would be hundreds of records per user. The session table would also be hit tremendously so I'm weary about putting this load on the database server. How is this usually handled?

What I'm trying to do is have a farm of webservers with my website copied on all the boxes, then a load balancer on the front of the network would route to the least used server. This would be constantly happening, even in the middle of user's sessions, which is why I have to come up with something better than server side sessions residing on each webserver. Any ideas? I would greatly appreciate any help or feedback.
Question by:bemara57
    LVL 25

    Accepted Solution

    I have a similar setup (but with client side cookies) but the session issue is the same.  These statements are only true if you use the .NET platform.

    You can use InProc session state, if you are using the .NET platform.  If you use InProc session management, you will have to use a sticky source ip load balancing configuration, because you session state is managed by the web application you initially started talking to.  If you use a least conn balancing method with this config, your users will loss their state when they hit a different server in the farm.

    Or, you could use an 'Out of Proc' session manager (see ASP.NET State Manager service) to store your user's session state.  You take a minor performance hit, but now you can use a least conn balancing routine on the load balancer.  Only problem is that the state management service is not clusterable so you will have a single point of failure being the session manager service.

    If you have a budget for the project, you could look into to a third party session manager that builds in redundancy.  I am prepping to deploy software from,  to resolve this same issue.
    LVL 6

    Assisted Solution

    Please see the following URL's as they describe exactly what you want to accomplish:
    LVL 2

    Assisted Solution

    I'm not sure from your description why client-side cookies wouldn't work for you, so I'll explain how they work in a typical load-balanced situation:

    Generally, there are two types of persistence provided by a load balancer.  The "more" complicated is cookie persistence.  However, it seems to me that this would work for you since it is done completely transparent to the server.  The load balancer simply injects a cookie into traffic going from the server back to the client.  When that client returns to the web site, the cookie is interpreted by the load balancer and the client is sent back to the same server.

    The other approach that is generally used is IP persistence.  This approach works very well for lower-traffic sites, as it requires that the load balancer keeps records of client connections.  If there are too many of these records, they need to be erased or the load balancer may run out of resources.

    Hope this helps.  Let me know if you'd like any clarification.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    For those of you who don't follow the news, or just happen to live under rocks, Microsoft Research released a beta SDK ( for the Xbox 360 Kinect. If you don't know what a Kinect is (http:…
    For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
    Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now