ASP.NET Core 2.1 cookie authentication appears to have server affinity

I ran into the same issue whenever I would restart my Azure App Service (PaaS) and my users' cookies were no longer valid. My app used ASP.NET Core Identity framework.

Here is the documentation explaining various ways to configure Data Protection to be scoped across multiple app instances or even multiple web apps:

https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview

I found using a blob storage account to be the quickest way to get it working:

var storageAccount = CloudStorageAccount.Parse(configuration["Configuration key to Azure storage connection string"]);
var client = storageAccount.CreateCloudBlobClient();
var container = client.GetContainerReference("key-container");

container.CreateIfNotExistsAsync().GetAwaiter().GetResult();

services.AddDataProtection()
    .SetApplicationName("Application Name")
    .PersistKeysToAzureBlobStorage(container, "keys.xml");

The cookie issued by authentication is encrypted via Data Protection. Data Protection by default is scoped to a particular application, or instance thereof. If you need to share an auth cookie between instances, you need to ensure that the data protection keys are persisted to a common location and that the application name is the same.

services.AddDataProtection()
    .PersistKeysToFileSystem(new DirectoryInfo(@"\\server\share\directory\"))
    .SetApplicationName("MyApp");

You can find more info in the docs.