IIS 7 and Above
URL Rewrite Module
Crossed Session - Isolated to Proxy Server
Last post Sep 14, 2017 08:17 AM by Yuk Ding
Sep 13, 2017 03:27 PM|wressem|LINK
I have been doing some more troubleshooting with an issue of crossed sessions when using reverse proxy rules.
As a recap, we have a single reverse proxy server which forwards to a single internal web server. We use PKI certificates, so in our reverse proxy rule, we set the HTTP_X_CERT_SUBJECT server variable to the value of CERT_SUBJECT and send it along to our
internal web server. Usually no problems, but if two clients present their PKI certificates within seconds of each other, the internal web server was assigning both sessions to the same user.
By enabling advanced logging on the proxy server, I believe I have narrowed it down to a problem on the proxy server. I believe it is an issue with the server variable.
In the logs, I capture the value of HTTP_X_CERT_SUBJECT, Client IP and cs(Cookie). Looking at a sample representation below, you can see that a cert subject of BILL is shown coming from two different client ips. The cert subject coming from 10.0.0.1 should
be "FRED". I don't know if it is meaningful information, but the cookie values are unique, so it looks like the proxy server is just grabbing the wrong CERT_SUBJECT.
HTTP_X_CERT_SUBJECT, CLIENT IP, cs(Cookie),
BILL_23455199182 192.168.0.1 _ga=GA1.2.1234; csrftoken=dfde.....
BILL_23455199182 10.0.0.1 _ga=GA2.2.4567; csrftoken=LH98ma......
So, my question is - since I think I've narrowed it down to the reverse proxy server, what IIS settings should I start experimenting with? I know there are cache settings in many places, and I think the only thing I've tried thus far is completely disabling
Output Caching, but I am going to go through all suggestions methodically to see if one of them solves the problem.
Thanks in advance for any suggestions anyone can offer.
Sep 14, 2017 08:17 AM|Yuk Ding|LINK
The cross session should be related to the session state and proxy affinity. So to avoid this issue, maybe you need to set the session state to in proc session state.
If you only need to rewrite a few client, maybe you could use ARR load balance and enable the client affinity to avoid the cross session.