Cluster and authentication

Author Message

Maxime Thomas

Monday 25 February 2008 1:32:49 am

Hi,

On a project, the client notify me that the load balancer which is used for all the frontal sites will be set up to not accept session affinities.

I guess you will have an affinity between the client IP and the frontal server, but does it consist of the loadbalencer configuration ? If my client tell me that he has disabled that functionnality, may I not log in eZPublish due to the session cookie ?

I'm thinking about this situation :
- First connection, the user logins in on server 1
- Second connection, the user is authentified on server 1 but redirected on server 2.

I know that the session information are stored in the database and in the cookie session. Can we disable the cookie session ? Does it mind if we are not using session affinity in the loadbalancer ?

Thank you for your replies.

Max

Maxime Thomas
[email protected] | www.wascou.org | http://twitter.com/wascou

Company Blog : http://www.wascou.org/eng/Company/Blog
Technical Blog : http://share.ez.no/blogs/maxime-thomas

Gaetano Giunta

Monday 25 February 2008 2:42:53 am

As long as all frontal servers are connected to the same backend database, and you are nout using https, session affinity is not needed.

Typical scenario:
+ user goes to site, hits server A
+ server A sets cookie to user, creates a row in the session table in the db
+ user goes to page 1, hists server B - he sends the session cookie (since all frontals are hidden by the load balancer, the server names is still the same for the end user)
+ server B receives session ID, looks it up in the DB, and finds session in there
+ all is fine ;)

Principal Consultant International Business
Member of the Community Project Board

Maxime Thomas

Monday 25 February 2008 6:33:03 am

Thank you ! Exactly what I wanted to know.

Maxime Thomas
[email protected] | www.wascou.org | http://twitter.com/wascou

Company Blog : http://www.wascou.org/eng/Company/Blog
Technical Blog : http://share.ez.no/blogs/maxime-thomas

Trent Jurewicz

Monday 25 February 2008 7:45:51 am

Gaetano-

I'm curious what the effect is if the server does use https. Is it only an issue if the session goes from http to https? Would there still be a problem if the entire session used https?

I am relatively new to ezPublish. I have not been able to track down much information about session management and user authentication. Can you point me the way to some documentation on the subject?

Thanks!

Maxime Thomas

Monday 25 February 2008 2:19:10 pm

Hi trent,

Here's some things you must know, I guess :

http://ez.no/doc/ez_publish/technical_manual/4_0/reference/configuration_files/site_ini/usersettings

And specially :

http://ez.no/doc/ez_publish/technical_manual/4_0/reference/configuration_files/site_ini/usersettings/loginhandler

If you would like to developp your own login handler :

http://ezpedia.org/wiki/en/ez/login_handler

And going further :

http://www.ezcomponents.org/docs/tutorials/Authentication

And as usual : welcome to eZ !

Max

Maxime Thomas
[email protected] | www.wascou.org | http://twitter.com/wascou

Company Blog : http://www.wascou.org/eng/Company/Blog
Technical Blog : http://share.ez.no/blogs/maxime-thomas

Gaetano Giunta

Tuesday 26 February 2008 1:40:02 am

<i>I'm curious what the effect is if the server does use https. Is it only an issue if the session goes from http to https? Would there still be a problem if the entire session used https?</i>

The main problem with https is where does the encrypted session end.

If the load balancer terminates the https session, forwarding http to the webserver pool then you have some nifty advantages:
- you install the ssl certs on the lb only
- the webservers are relieved of the ssl ciperhing load (lb will do it in hw if you buy add on cards so it is much more efficient)
- since the lb can look at the decrypted request, it can apply session affinity/stickiness if he wants to

If the load balancer does not terminate the https, I am not 100% sure, but what should happen is that either
a) once the ssl session is initiated, it will stick to the same real webserver, since ssl operates at a level just below tcp/http headers. So it should work, but you will not be spreading the load across your server pool. Also, in case that particular webserver goes down, the client will have to hit "refresh" to initiate a new ssl session to a different one
or
b) the different https requests of a user session end up on different web real servers. Every time a new SSL handshake takes place, since the SSL sesssion ID from server A will not be good for server B etc, and your webservers are under very high load (and pages seen by end user slower)

In any case you should definitely set keepalives on for https

Principal Consultant International Business
Member of the Community Project Board

Powered by eZ Publish™ CMS Open Source Web Content Management. Copyright © 1999-2014 eZ Systems AS (except where otherwise noted). All rights reserved.