Azure Web App and Sticky Session with Affinity Cookie - Reliable?

I made a release for one of my customers with Azure PAAS - Azure Web App (formerly Azure Websites). We marked the site in Auto scale mode with two minimal copies. We started to receive complaints from users who periodically face problems that can only arise if they lose session variables while actively using the site.

We were wondering how this could happen, since we are maintaining sessions in "in proc". We did not go to a separate session manager (Redis cache / DB based) session on the first day, because according to the documentation, the Azure Web application runs by default with a sticky session load balancer (when launched with multiple instances). It injects ARF affinity into the Http response file, which helps redirect the user to the same instance with which he first established a session.

To debug this issue, we started printing the actual sessionId on the page. After many attempts, we reproduced the problem - surprisingly, the sessions are swapped. Let's say my session ID is "1eocgtmwwwwss1cxksyofne4" after refreshing the page it changed to "5p1hsxszq2mcqmt5i5ytqg12" including all other information controlled in the session variable. Scary ... is it?

For support with an emergency ticket - the answer is:

"Azure Web Apps is a stateless platform, and our recommendation is to implement a session management solution that works best for your environment and avoid reliance on in-memory session state management, especially when your web application is hosted on multiple servers. In your case, when you plan to implement a caching solution for session management in the near future, our recommendation is to go to one instance as a workaround for now. We will help you ensure that the application is working as expected on one copy ".

I totally understand this, but why Cookie Affinity will fail. I know the Affinity cookie can be turned off and I have not turned it off. I thought to share this story. This can be useful for anyone else relying on a cookie-based Affinity load balancer.

BTW: The implementation of the Redis session provider is very simple. It only took a few minutes to complete.

Doing Posthumous Now - What Went Wrong? I have not considered cookies not supported by browsers. Then why does this break intermittently even in my browser where I am maintaining cookies. PAAS resources are constantly moving / swapping .... and we cannot use them in the proc session ... etc