Sticky session

What is a sticky session?

A sticky session, also known as session affinity or session persistence, is a technique used in load-balancing systems to manage network traffic. It involves routing a client’s requests to the same backend server for the duration of their session, keeping session state consistent.

How does a sticky session work?

A load balancer uses cookies or other identifiers (such as IP addresses) to recognize returning users.

Flow chart showing how sticky sessions work.

It assigns a backend server to the client and applies a session cookie or affinity rule so future requests are routed to the same server until the session expires.

Types of sticky sessions

Cookie-based affinity: The load balancer delivers a cookie to the user’s browser to route future requests to the same backend server.
Application cookie affinity: The application sets a cookie that the load balancer reads and uses with its own session cookie to route requests to the same server.
IP-based affinity: The load balancer maps a client’s IP address to a backend server, so future requests from that IP are routed to the same server.
Route-based persistence: The load balancer uses a route or session ID to direct subsequent requests to the same server.

Where is it used?

Load-balanced web apps: Keeps requests routed to the same server to preserve session data.
E-commerce checkouts: Maintains login state and shopping cart contents during a session.
User dashboards: Preserves personalized data, settings, and preferences by keeping requests routed to the same server.
Legacy server environments: Supports older systems that lack shared session storage (e.g., databases or in-memory stores).
Stateful enterprise applications: Maintains workflow continuity by keeping requests on a specific server.

Why is a sticky session important?

Sticky sessions support stateful systems and can improve user experience. For example, they allow users to stay logged in and keep items in their shopping carts while navigating an online store.

They may also reduce the need to repeatedly retrieve session data from shared storage, which can ease the burden on servers and simplify legacy app deployment.

Risks and privacy concerns

Misconfigured cookies may expose user data.
Sessions may be lost if a server becomes unavailable.
Uneven traffic distribution may occur if sessions aren’t balanced across servers.
Cookies or IP-based tracking may introduce privacy risks.

FAQ

What is the difference between sticky sessions and stateless sessions?

Sticky sessions route a user's requests to the same backend server for the duration of their session, while stateless sessions allow any server to handle requests.

Are sticky sessions the same as session affinity?

Yes, session affinity and sticky sessions are two terms for the same concept: a load-balancing technique in which all requests from a user are routed to the same backend server.

Do sticky sessions use cookies or IP addresses?

Sticky sessions can use both, but they typically rely on cookies to keep a user's requests routed to the same server.

Are sticky sessions secure?

Sticky sessions aren’t inherently more or less secure than stateless approaches. Security depends on implementation, including how session data is stored and protected. Keeping session data on a single server may reduce exposure across systems, but it can also increase risk if that server is compromised.

When should sticky sessions be avoided?

Sticky sessions may be less suitable for high-availability systems, where services are designed to continue operating during server failures. In this setup, sessions tied to a single server can be lost if that server becomes unavailable.