IIS 7 and Above
PKI Authentication - Sessions Getting Crossed
Last post Aug 29, 2017 07:22 PM by wressem
Aug 03, 2017 07:33 PM|wressem|LINK
It is very likely that I will leave out some important details, but here is our issue.
IIS8 server #1 in DMZ (reverse proxy):
- Requires SSL, Requires client certificates (using PKI obviously)
- AAR with URL Rewrite, server variable captures CERT_SUBJECT and puts in a server variable
- Authenticaiton set to anonymous
- Rewrite redirects to internal server over port 80
IIS8 server #2 - internal
- Authentication set to anonymous
- Authentication handled by DJANGO/CGI implementation (which I don't know much about yet)
- CERT SUBJECT matched with database entry for authenticaiton/authorization
Everything typicallys works fine, however if two users login within a short period of time (I think it is seconds), the first users session will be hijacked by the 2nd users session, and the first user will be logged in as the 2nd user. Somehow the session
state of the first user is not being maintained.
I'm still working on the exact scenario that produces this, but I can generally recreate it about 50% of the time.
At this point, I need help in narrowing down whether this is an issue with the reverse proxy server, the internal web server or the implementation of DJANGO on the internal web server.
Any recommendations on how best to proceed?
Aug 04, 2017 06:47 AM|Yuk Ding|LINK
I think you may need to disable PKI or DJANGO to test whether it is an IIS issue. If the issue is caused by PKI or DJANGO, you may need to consult their vendor. However, if disable these stuff still cross the session. You may need to check your cookie configuration.
If you were using asp.net application, you could check the session state. Besides, you could check the configuration in system.web/httpCookies in configuration editor. In addition, the IIS output caching could also cause to this issue. So you could try to
disable the output caching.
Aug 04, 2017 05:38 PM|wressem|LINK
Thanks for the response. Thanks gives us a few things to try. We'll do some troubleshooting and I'll report back.
Aug 29, 2017 07:22 PM|wressem|LINK
Follow up to this. We have narrowed this problem down and have determined that the issue is in the reverse proxy server. It is a standard reverse proxy rule, which has one server variable configured. Since we require a client certificate, we configured
the server variables section of URL Rewrite to capture the CERT_SUBJECT and send it over to our internal server as HTTP_X_CERT_SUBJECT.
Usually works great. But if two users login in within seconds of each other, it can send the wrong CERT_SUBJECT over - one of those two users will get the other user's CERT_SUBJECT. We confirmed this by looking at the Django application logs on the internal
web server and can see the wrong HTTP_X_CERT_SUBJECT coming through.
So, I'm assuming I need to focus on the proxy server, probably cache settings somewhere. Does anyone have any recommendations on what we should try. I don't know if it is ARR cache or output caching of IIS, or elsewhere.