What can I use as a common session id when working in a web farm scenario?

Question

I'm using a hosting provider that uses scalable web servers, aka I can scale from 1..n at the click of a button.

What I would like to do with my app is identify a single session of a person browsing my website, and store their state in a database.

Now because the host doesn't use a sticky session, the Session Id which is what I would've used won't work, it may change from request to request.

What alternative identifier can I use that will identify a single user session and of course is secure?

(Just for clarity, I won't have a username or any data about the user.)

Answer 1

Typically one would use a database backend for this because database-maintained session info can be accessed by any web server without reliance on web-server stickiness.

On a visitor's initial visit to the site (without a cookie-provided session ID in the request), it could set a cookie with a session ID - e.g. a GUID - and add session info to the database with the session ID.

On subsequent visits to the site (with the session ID in requests if the cookie has not been cleared), any of the n web servers can identify the session by its cookie-provided ID and lookup related session info in the backend database.

Cookies can be used more extensively of course - beyond just a session ID; but they are a poor choice for typical, broader session info (i.e. often with sensitive information).