Is application-cookie based session persistence supported?

[mamathavit]

Need to know if there is support for application cookie stickiness or session persistence.

I went through the documentation for session persistence, I see that there are two types of session persistence supported. Refer - https://www.envoyproxy.io/docs/envoy/v1.34.0/api-v3/config/http/stateful_session

1. Cookie based session persistence
2. Header based session persistence

My requirement is to support session persistence only when the backend server sends a Set-Cookie in its response header. Only then the cookie should be set in the response and from then onwards, the session persistence should start. With current cookie-based session persistence, Envoy will add cookie from the first request itself. But it should add the cookie only when backend server sends a set-cookie in its response header.

Is this supported in Envoy?

[zuercher]

cc @wbpcode @cpakulski

[wbpcode]

Nope, your requirement is not supported in cookie based stateful session. But i think there is very similar WIP work about your requirement in header based stateful session. #39004

[mamathavit]

@wbpcode - Thanks for the response. I went through the issue that you shared (#39004) and I found a link mentioned in the comments which is same as my requirement - "backend-initiated session persistence" by using set-cookie response header. Please find my queries below.

1. Envelope mode session persistence and backend-initiated session persistence are both different where envelope mode initiates session persistence when the upstream's response contains a specific header value (session-id). From then onwards, this specific header value will be present in all requests and responses. Whereas in backend-initiated session persistence, once the set-cookie response header is found, a cookie will be added to the response with a value and all further requests and responses will contain this cookie. Is this correct?
2. In envelope mode, if the upstream does not send any session-id header value in its response, the session persistence will not be enabled?
3. The pull request mentions the changes are done specifically for MCP protocol session. Can this be used for any scenario in general to support backend-initiated session persistence using request header instead of cookies?

[wbpcode]

Envelope mode session persistence and backend-initiated session persistence are both different where envelope mode initiates session persistence when the upstream's response contains a specific header value (session-id). From then onwards, this specific header value will be present in all requests and responses. Whereas in backend-initiated session persistence, once the set-cookie response header is found, a cookie will be added to the response with a value and all further requests and responses will contain this cookie. Is this correct?

Basically, yeah.

In envelope mode, if the upstream does not send any session-id header value in its response, the session persistence will not be enabled?

Yeah.

The pull request mentions the changes are done specifically for MCP protocol session. Can this be used for any scenario in general to support backend-initiated session persistence using request header instead of cookies?

Yeah. But we only support envelope mode for header now.

[mamathavit]

Thanks for the response. Is there any specific reason why application-cookie based session persistence (driven by set-cookie response header) is not supported by Envoy? Because, this was being supported by HAProxy that we were using before moving to Envoy. I see that Nginx is also supporting this.

[wbpcode]

Thanks for the response. Is there any specific reason why application-cookie based session persistence (driven by set-cookie response header) is not supported by Envoy? Because, this was being supported by HAProxy that we were using before moving to Envoy. I see that Nginx is also supporting this.

No any special reason, just no related requirement before.

[mamathavit]

Do we need to raise a new request to support this feature or can this issue be considered for supporting application-cookie based session persistence?