diff --git a/src/PopForums.Web/PopForums.Web.csproj b/src/PopForums.Web/PopForums.Web.csproj
index 11b6d3dd..6a0544a8 100644
--- a/src/PopForums.Web/PopForums.Web.csproj
+++ b/src/PopForums.Web/PopForums.Web.csproj
@@ -20,4 +20,8 @@
 		<Folder Include="wwwroot\" />
 	</ItemGroup>
 
+	<ItemGroup>
+		<PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Blobs" Version="1.3.4" />
+	</ItemGroup>
+
 </Project>
diff --git a/src/PopForums.Web/Program.cs b/src/PopForums.Web/Program.cs
index 0d05a82c..c08bf824 100644
--- a/src/PopForums.Web/Program.cs
+++ b/src/PopForums.Web/Program.cs
@@ -11,11 +11,22 @@
 using Microsoft.Extensions.Logging;
 using Microsoft.AspNetCore.ResponseCompression;
 using System.IO.Compression;
+using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.Hosting;
 
 var builder = WebApplication.CreateBuilder(args);
 var services = builder.Services;
 
+// the following block is for use when you have multiple nodes running
+// (think Azure App Services) so they can all decode the auth cookie
+var configuration = builder.Configuration;
+if (configuration["DataProtectBlobConnectionString"] != null)
+{
+	services.AddDataProtection()
+		.SetApplicationName("popforumsdev")
+		.PersistKeysToAzureBlobStorage(configuration["DataProtectBlobConnectionString"], "keys", "antiforge");
+}
+
 services.AddControllersWithViews();
 services.AddRazorPages();