Tips on Developing Web Applications for Web Farms

by Wilson Wong

The CityU central web servers ( and are load-balanced web farms, which provide high availability services to the communities. In case any server instance of a web farm is unavailable (due to errors or maintenance), other server instances of the same web farm can still serve requests without service interruptions. 

Session Management
When a user visits our central web servers through a web browser, the central load-balancer (according to its internal algorithm) redirects the corresponding HTTP/HTTPS request to one of the server instances. For web applications that require continuous user interactions (for example, asking users to submit data via a web form), users may encounter broken sessions if related HTTP/HTTPS requests of a user session are redirected to other server instances. To  minimise issues of broken sessions, sticky persistent  has been enabled in the load-balancer which ensure all requests of the same user session are redirected to the same server instance. However, should the serving server becomes unavailable, the load-balancer will still redirect subsequent requests of the same user session to another server instance, hence users will still encounter issues of broken sessions.
To increase the persistency of .NET web applications, web developers are strongly recommended to make use of static machine keys for session state in web applications requiring user interactions. This would allow the session data of .NET web applications to be decrypted correctly among different server instances in the web farm. Therefore, even the serving server instance, A, becomes unavailable unexpectedly and the subsequent requests are redirected to another server instance, B, the server instance B could still decrypt the session data correctly with the static machine keys and avoid broken sessions.
To generate machine keys for your web application:
  • Locate and edit the web.config in the application root folder.
  • Add a <machineKey> section under <system.web>.
    <machineKey> section defines a pair of keys, validationKey and decryptionKey, which is used for encrypting, decrypting and validating session data. This pair of keys can be generated by the IIS Manager of your development PC as follows:
    • On your development PC, run the Internet Information Services Manager (inetMgr.exe)
    • Double-click “Machine Key” to open the Machine Key feature
      1. Select “AES” under “Decryption method:” and un-check “Automatically generate at runtime” and “Generate a unique key for each application” under “Validation key” and “Decryption key” respectively
      2. Click “Generate Keys” in the “Actions” panel on the right
      3. Copy  the generated “Validation key” and “Decryption key” into the  <machineKey> section under <system.web> in the web.config file as shown below:

                  (For security reasons, please generate different machine key pairs for different web applications.)

A Note for Using Classic ASP

Classic ASP stores session information in web servers, and therefore web applications developed by Classic ASP cannot share session information among server instances. If your web applications require storing data in a session, please consider building your web applications with ASP.NET instead.