Announcement

Collapse
No announcement yet.

verlorene Sessions

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • verlorene Sessions

    Wir haben immer wieder das Problem, dass Benutzer mitten in der Arbeit am Web Client ausgeloggt werden. Das Problem scheint daran zu liegen, dass die User über NAT und Loadbalancing über verschiedene Gateways kommen. Dabei kann es passieren, dass ein User, der ursprünglich mit der IP des NAT-Gateway A kam, plötzlich über Gateway B kommt.

    Bei den Sessions wird offenbar überprüft, ob die IP gleichgeblieben ist, ansonsten wird die Session beendet. Kann man diese Funktion irgendwie abschalten?

  • #2
    Hi,

    this is feature is part of a multi-layer security concept to defeat session stealing and other bad stuff which can be done with web applications. Even if somebody manages to steal the session id and your cookie, the server will block access if the new connection is made by an unknown IP address for that session. Stealing the cookie is pretty hard and it requires a vulnerable browser for doing that. Stealing a session is medium-hard but we take care to prevent such stuff by adding whitelists for external data like E-Mail to block injection of javascript code. Or even images containing script code that may be executed by the browser.
    There is no switch to turn this security feature off, and switching off security features should be the very last step in order to make something work. Couldn't those load balancer be configured for session stability? I mean this issue won't only occur with OX but also other network/webservices.

    Greetings
    Last edited by Martin Heiland; 07-07-2009, 06:17 PM.

    Comment


    • #3
      Just an idea, does this also happen when using SSL?

      Comment


      • #4
        Yes, it is happening as well when we use SSL. The Gateway-Loadbalancing of course keeps users persistent on the line that they initially got, but it is a bunch of lines and often enough one of the connections drops and the users get rearranged on the remaining lines.

        Comment


        • #5
          Okay i understand the issue. If a connection drops, the session gets lost - that's a fact for most web applications or network services. When the connection of the current session goes away, the session is still alive for a timeout of about 6 hours. If no new requests are sent to the server with that session it will time out automatically. It would be careless if we would trust a user who is connecting to an existing session through another connection.
          In your case the connection drops about every hour which means that 6 sessions per user are idle during work time. I don't know the size of your installation but 6 idle session don't require much resources. The biggest problem is that the user needs to login again, but sadly there is nothing we can do about network connection interruptions.

          Greetings

          Comment

          Working...
          X