Forum Discussion

Juanma_47808's avatar
Juanma_47808
Icon for Nimbostratus rankNimbostratus
Mar 30, 2008

SSL session never ends

 

Hello,

 

 

I am trying to configure a https virtual server to load balance four WEB servers.

 

When a client ends his ssl session and tries to connect to again, he ocasionally receives and old page from his supposedly older ended ssl sesion. When a client clicks on any link of that old page, he is redirected to the main page again but if he refresh his session continuously (F5 key, F5 key ....) he can see the next WEB page as a result of his previous clicked link, without any authentication!!

 

 

 

Since the main page begins with a redirection, I have tried with an irule that found in the forum:

 

 

when HTTP_RESPONSE {

 

if {[HTTP::status] == 302} {

 

HTTP::header replace "Location" "https://myweb.domain.com:8081"

 

clientside {SSL::session invalidate}

 

}

 

}

 

 

but the problem continues.

 

 

 

I would remark three issues:

 

 

- I had another problem previously. A user could enter in the session of another logged user, and I solved this by disabling "unclean shutdown" and enabling "strict resume" in client and server SSL profile.

 

 

- I don´t use any persistence in the virtual server.

 

 

- I have not got CACHE module in my BIGIP.

 

 

 

Could be a persistence problem?

 

How can I force to end older SSL sessions?

 

 

 

Could you help me, please?

 

 

Thanks a lot in advance.

 

 

 

Juanma

 

 

 

application delivery
dev
devops
iRules
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Apr 03, 2008
    As you said you do not use any persistance. Are you using OneConnect Profile? Also is the webpage on the backend have code that does not allow the browser to cache the information?

     

     

  • Juanma_47808's avatar
    Juanma_47808
    Icon for Nimbostratus rankNimbostratus
    Apr 04, 2008

     

    Hello cmbhatt,

     

     

    I have disabled "one connect" and I have added "ssl persistence". Now, ¡it works! I have been trying login/logout several times and for the moment it starts a new session each time.

     

     

    Thanks a lot for your help.

     

     

    Best regards

     

     

    Juanma
  • Nicolas_Menant's avatar
    Nicolas_Menant
    Icon for Employee rankEmployee
    Apr 07, 2008
    Hi,

     

     

    If you want to maintain some CPU saving on your server you may use the oneconnect profile but you should specify a mask of 255.255.255.255. This way one client won't be able to use the TCP connection of another client (if you don't have clients coming through a proxy...)

     

     

    One comment about ssl persistence. By default the internet explorer 6 will renegociate client's SSL session ID every 2 minutes. Which means the client will be load balanced again and may have to authenticate himself again...

     

     

    HTH

     

     

  • Nicolas_Menant's avatar
    Nicolas_Menant
    Icon for Employee rankEmployee
    Apr 07, 2008
    I know this statement is true for ie5 an ie6 but i haven't been able to find information about ie7 for now.

     

     

    i'll try to do some testing this week and keep you in touch