Share via

how to maintain application cookie/session lifetime under Application Gateway? Currently cookie/session only last 20 minutes

Eugene Shen 0 Reputation points
2025-10-09T13:39:52.1833333+00:00

Hi there,

I have installed an application Gateway for our application, however, Currently cookie/session only last 20 minutes. The application always asks users to add to trust devices. For example, add trust device cookie can be three months, other cookie expiry time will be one day. I do select cookie affinity option, the other settings are default.

how to maintain application's cookie/session lifetime under Application Gateway rather than Application Gateway's session/cookie settings? Is there any way to add rewrites to solve this issue.

Thanks

Eugene

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Priya ranjan Jena 1,510 Reputation points Microsoft External Staff Moderator
    2025-10-09T16:01:06.38+00:00

    Hi Eugene,

    Thank you for reaching out on Microsoft Q&A forum

    To understand it better, we have some suggestion as below:

    Gateway-managed cookies (ApplicationGatewayAffinity)

    • These are used only for session affinity (sticky sessions) to route subsequent requests to the same backend server.
    • Their lifetime is fixed and short (typically one day for managed cookies) and cannot be extended beyond what Azure allows.

    User's image

    Reference link for increasing connection timeout://free.blessedness.top/en-us/azure/application-gateway/configuration-http-settings?tabs=backendhttpsettings

    Setting Cookie Lifetimes: If you are using Application Gateway for Containers, you might have the option to define a specific cookie name and lifetime in the RoutePolicy resource or IngressExtension. Here’s an example command to create a RoutePolicy with a cookie lifetime of 3600 seconds (1 hour):

    apiVersion: alb.networking.azure.io/v1
kind: IngressExtension
metadata:
  name: session-affinity-ingress-extension
  namespace: test-infra
spec:
  backendSettings:
    - service: echo # replace with your service name
      sessionAffinity:
        affinityType: "application-cookie"
        cookieName: "yourCookieName"
        cookieDuration: 3600s

    Cookie Rewrites: If you need to address the security attributes of cookies and ensure they are set properly (like Secure or HttpOnly), you can implement a rewrite rule in the Application Gateway to modify the cookie settings

    Reference link:https://free.blessedness.top/en-us/azure/application-gateway/configuration-http-settings?tabs=backendhttpsettings

    Application-Level Settings: Don’t forget to check if there are any settings at the application level that also manage cookie/session lifetimes. Sometimes, the application itself will have configurations that affect session expiration.

    Hope you find this comment helpful, if yes, please “up-vote” for the information provided , this can be beneficial to community members.

    Kindly let us know if you have any questions.

    Thanks

    You can still visit the below reference links for more understanding.

    0 comments
  2. Eugene Shen 0 Reputation points
    2025-10-09T17:02:13.8666667+00:00

    Thanks, Priya.

    We are using AG for hosted web sites(multiple instances) , it is not container. Clearly the cookies are there, why AG can't use it and let use time out. The load balancer we use currently) doesn't have any issues. This should be common issues for AG, hope there is a good solution from AG team.

    Eugene

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.