Background
ARRAffinity is a cookie used to affinitize a client to an instance of an Azure Web App. e.g. if an app is scaled out to 10 instances, and a user accesses it from their browser, the ARRAffinity helps keep the user going back to the same app instance, instead of getting a random instance each time. This can be useful for some apps that keep user state in memory.
What is changing
This cookie is meant to be round-tripped back to the server via the browser, but it is not meant to be consumed client side (it is not a meaningful value to the client).
To enforce that the client code cannot access it from Javascript code, it will now have the HttpOnly flag set, which prevents accessing it from the document.cookie
collection. See this blog post for a good explanation of why it is good security practice to do this.
Note that in the case of ARRAffinity, there was never a real security hole, since this cookie is not a valuable secret even if stolen. Still, for the sake of defense in depth and preventing something that should not be done, it makes sense to make it HttpOnly (which it should have been from the start).
Who can be affected by this change
The only way you can be affected by this change is if you have client side code that tries to access this cookie. We don't think there are any useful scenarios where this should be done, but be aware that you will no longer see this cookie in the client side cookie list.
How to work around if you really need this
On the server side, you can get the ARRAffinity value in the WEBSITE_INSTANCE_ID
environment variable. So you can create a different cookie (e.g. ARRAffinity2) and set it to that value (without making it HttpOnly
). Then in your client code, just consume this alternate cookie.