IIS 7 and Above
PKI Authentication - Sessions Getting Crossed
Last post Aug 04, 2017 05:38 PM by wressem
Aug 03, 2017 07:33 PM|wressem|LINK
It is very likely that I will leave out some important details, but here is our issue.
IIS8 server #1 in DMZ (reverse proxy):
- Requires SSL, Requires client certificates (using PKI obviously)
- AAR with URL Rewrite, server variable captures CERT_SUBJECT and puts in a server variable
- Authenticaiton set to anonymous
- Rewrite redirects to internal server over port 80
IIS8 server #2 - internal
- Authentication set to anonymous
- Authentication handled by DJANGO/CGI implementation (which I don't know much about yet)
- CERT SUBJECT matched with database entry for authenticaiton/authorization
Everything typicallys works fine, however if two users login within a short period of time (I think it is seconds), the first users session will be hijacked by the 2nd users session, and the first user will be logged in as the 2nd user. Somehow the session
state of the first user is not being maintained.
I'm still working on the exact scenario that produces this, but I can generally recreate it about 50% of the time.
At this point, I need help in narrowing down whether this is an issue with the reverse proxy server, the internal web server or the implementation of DJANGO on the internal web server.
Any recommendations on how best to proceed?
Aug 04, 2017 06:47 AM|Yuk Ding|LINK
I think you may need to disable PKI or DJANGO to test whether it is an IIS issue. If the issue is caused by PKI or DJANGO, you may need to consult their vendor. However, if disable these stuff still cross the session. You may need to check your cookie configuration.
If you were using asp.net application, you could check the session state. Besides, you could check the configuration in system.web/httpCookies in configuration editor. In addition, the IIS output caching could also cause to this issue. So you could try to
disable the output caching.
Aug 04, 2017 05:38 PM|wressem|LINK
Thanks for the response. Thanks gives us a few things to try. We'll do some troubleshooting and I'll report back.