views:

317

answers:

2

Are there any possible issues with using the default Forms Authentication (see below) on Load Balanced servers? If there can be, what can I do to prevent the issues.

<authentication mode="Forms">
    <forms loginUrl="~/Login/" protection="All" timeout="30" />
</authentication>

Can I use cookies (used by default)? Do I have to go cookieless? etc...

Also, does Microsoft (or VMWare) have a VirtualPC download that is an instant Load Balanced testing environment?

A: 

Cookies work based on the domain, so as long as all the servers are running under the same domain, then cookies should work cross-server. By default, this is how forms authentication works. ASP.NET adds an AUTH cookie to track the login.

The session is another matter though. Unless you implement a session store, like sql server, then the session variables won't be transferred across servers.

Kyle Trauberman
-1 you didn't mention the machineKey/validationKey issue and without that cookies won't work when set from one server and received in a different one.
Gonzalo
+3  A: 

There is one issue. The cookies are encrypted and validated using the machine key and the validation key (that's what protection="All" means). You will have to set those in your top-level web.config in all the servers, otherwise each of them will have a different one and will reject cookies set by the others.

You can find a machineKey generator here. Then put the generated xml inside in the web.config of all the servers and you're ready to rock.

Gonzalo