On Mon, Mar 25, 2002 at 02:21:12PM -0500, Cliff Woolley wrote:
>
> > On Mon, Mar 25, 2002 at 05:47:04PM -0000, Bray, Mike wrote:
> > > Can anyone help by explaining how the session cache works? We have a web
> > > site supported by two servers using a content switch to load balance.
> >
> > and you're absolutely sure that it is not hte client that has requested
> > a new session? MSIE usually cuts sessions after a couple of minutes
> > (the length varies with the browser and ssl version)
>
> When load balancing, if the back-end servers do not share a session cache,
> a client that initiates a session with one server and then gets handed off
> to another server will lose the session, because the client will not know
> it got handed off. It will present a session to the new back-end server
> that the new server knows nothing about, and the server will force a
> renegotation.
Yep, I read his post as if they had the load balancer set up with sticky
sessions - but you're probably right that it would be a good idea to test
without the loadbalancer, but with the same browser.
>
> > > Does the time out last from the start of the session to the end or
> > > does it last from request to request?
> >
> > It should last from the start of the session until the timeout, but the
> > client can cut it short.
>
> The server can also cut it short. This can happen in the above situation
> or when the session cache fills up under heavy load (for certain kinds of
> session caches).
Yup, I forgot about that.
>
> > > I have seen discussion about nokeepalive with MSIE. Would this affect
> > > it?
> > I don't think so.
>
> I tend to think the two most likely are related. There's less you can do
> about it in this case, but the same general techniques might help. What
> BrowserMatch settings are you currently using? How is your SessionCache
> set up?
>
The defaults are nokeepalive IIRC - if that affects the session, then shouldn't
it cut the session short even after the initial request? Setting SSLLogLevel
to something like debug and looking for cache hits/misses would probably
be a good place to start. Also testing with something like Swamp and keeping
an eye out for session reuse.
I did some extensive testing on IE session lengt a year or two ago, and usually
they end up with something like cutting the session after 1 or 2 minutes
(this changes depending on the IE version, wether client certs are used and
wether it is SSLv2,3 or TLS). Testing with and without nokeepalive should be
easy though.
vh
Mads Toftum
--
With a rubber duck, one's never alone.
-- "The Hitchhiker's Guide to the Galaxy"
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
