Since Auto-Scaling doesn't allow buffer period and/or is not intelligent enough to NOT allow only "new requests" coming in to the instance which is scheduled to be turned off due to down-autoscaling, I am trying to avoid using sticky-sessions provided by the ELB. Otherwise this behavior will leave some of customers with a log-in screen.
The website and other RESTful webservices are running in IIS7. The website is using classic forms based authentication (built-in membership provider in MVC3), but will soon migrate to custom membership provider to look at the cookie and decrypt and then give the verdict. The RESTful webservices are already using Custom Membership Providers.
In this situation, I think for the website I cannot get by without using sticky sessions via its ELB.
The ELB of RESTful webservices can be configured for non-sticky since they individually observe the cookie on every request to see if the auth token exists with some encrypted value. However, the problem here are the methods FormsAuthentication.Enrypt and FormsAuthentication.Decrypt, they use MachineKeys under the hood. RIGHT ?! If not, then its not problem, but if they do then how to synchronize machine keys across autoscaled instances in EC2 ?
Since the recommended website seem to have been hacked (http://aspnetresources.com/tools/machineKey), I would recommend using the following procedure instead:
Machine Key
(read below if you don't see this section)Automatically generate at runtime
and Generate unique keys for each application
Generate Keys
in the Actions menu then click Apply
web.config
and copy the <machineKey>
tag to your other web servers in your web farm so that they all use the same machineKeyPlus, you won't have any website logging your IP address and generated machine keys (if we are being cynical).
If you don't have an ASP.NET section in your IIS Manager, you can use the following procedure to enable it (from https://serverfault.com/questions/129714/asp-net-area-in-iis-7-on-windows-2008):
In Windows 7, you can enable ASP.NET from Control Panel -> Programs -> Programs and Features -> Turn Windows features on or off. Expand Internet Information Services -> World Wide Web Services -> Application Development Features and click ASP.NET.
In Windows Server 2008, Open Server Manager -> click Roles -> click Add Roles -> select Web Server (IIS) -> in Role Services click ASP.NET it will prompt for necessary dependent Roles Services click Add Required Role Services.