DEV Community

Cover image for Ever refreshed a website only to be randomly logged out? Here's the DevOps mistake around it
Ajibola jr. MSc, Cybersecurity
Ajibola jr. MSc, Cybersecurity

Posted on

Ever refreshed a website only to be randomly logged out? Here's the DevOps mistake around it

#aws #cloud #infrastructure #devops

Have you ever been using a web app, refreshed the page, and suddenly found yourself kicked back to the log in screen?

As a user, it’s incredibly frustrating. But as a developer or DevOps engineer, it’s a textbook symptom of a missing architectural feature: session stickiness (also known as 'sticky sessions').

Let's break down exactly why this happens and how to fix it.

The Problem: The "Memory Loss" Load Balancer
When an application grows, we scale it out horizontally. Instead of one giant server, we deploy multiple smaller servers (Server A, Server B, Server C, Server D, and Server E) behind a Load Balancer.

The load balancer's job is simple: distribute incoming user traffic evenly so no single server gets overwhelmed. By default, it often uses a method called Round Robin (switching servers sequentially for every new request).

Here is what happens when a user logs in without stickiness:

[User Logs In ] ──> (Load Balancer) ──> Routes to: [SERVER A]
(Session saved here!)

[User Refreshes] ─> (Load Balancer) ──> Routes to: [SERVER B]
(Who are you? 🤔)

[LOGGED OUT!]
Because Server B has no idea who you are or what happened on Server A, it assumes you aren't authenticated and logs you out. Bad user experience? Absolutely.

The Solution: Sticky Sessions

To fix this, we enable session stickiness on the Load Balancer.

When a user logs in for the first time, the load balancer hands them a special cookie. The next time the user refreshes or clicks a link, the load balancer reads that cookie and says, "Oh, you belong to Server A. Sending you back there!"
[User Refreshes w/ Cookie] ──> (Load Balancer) ──> [SERVER A] (Still logged in!)

How it's done in the real world:
If you are using AWS, you can easily enable this on an Application Load Balancer (ALB) by turning on stickiness in your Target Group settings. You can choose:

  1. Duration-based cookies: Managed by the load balancer itself for a specific timeframe.

  2. Application-based cookies: Custom cookies generated by your actual backend application.

The DevOps Trade-off: Is Stickiness Perfect?

As great as sticky sessions are, senior engineers will tell you they come with a catch.

If a massive influx of users all get assigned to Server A by chance, Server A might crash from overwork while Server B sits completely idle. It defeats the true purpose of a load balancer, which is equal distribution.

The Next-Level Fix: Stateless Architecture
If you want to ace your system design, the ultimate solution is to make your servers stateless. Instead of saving login sessions inside Server A's local memory, you save them in a fast, centralized external database like Redis or Memcached.

That way, no matter which server the Load Balancer sends the user to, the server can quickly check Redis and keep the user logged in.

Summary for Your Next Build:

  • No Stickiness: Users get bounced around servers randomly on refresh (leads to random logouts).
  • Sticky Sessions: The Load Balancer uses cookies to lock a user to one server. Great quick fix!
  • Stateless + Redis: The ultimate DevOps gold standard for scaling smoothly.

Have you ever run into this bug while building or using an app? Let’s talk about it in the comments!

Top comments (0)