Cluster and authentication

Next topic

Author	Message
Maxime Thomas	Monday 25 February 2008 1:32:49 am Hi, On a project, the client notify me that the load balancer which is used for all the frontal sites will be set up to not accept session affinities. I guess you will have an affinity between the client IP and the frontal server, but does it consist of the loadbalencer configuration ? If my client tell me that he has disabled that functionnality, may I not log in eZPublish due to the session cookie ? I'm thinking about this situation : - First connection, the user logins in on server 1 - Second connection, the user is authentified on server 1 but redirected on server 2. I know that the session information are stored in the database and in the cookie session. Can we disable the cookie session ? Does it mind if we are not using session affinity in the loadbalancer ? Thank you for your replies. Max Maxime Thomas maxime.thomas@wascou.org \| www.wascou.org \| http://twitter.com/wascou Company Blog : http://www.wascou.org/eng/Company/Blog Technical Blog : http://share.ez.no/blogs/maxime-thomas
Gaetano Giunta	Monday 25 February 2008 2:42:53 am As long as all frontal servers are connected to the same backend database, and you are nout using https, session affinity is not needed. Typical scenario: + user goes to site, hits server A + server A sets cookie to user, creates a row in the session table in the db + user goes to page 1, hists server B - he sends the session cookie (since all frontals are hidden by the load balancer, the server names is still the same for the end user) + server B receives session ID, looks it up in the DB, and finds session in there + all is fine ;) Principal Consultant International Business Member of the Community Project Board
Maxime Thomas	Monday 25 February 2008 6:33:03 am Thank you ! Exactly what I wanted to know. Maxime Thomas maxime.thomas@wascou.org \| www.wascou.org \| http://twitter.com/wascou Company Blog : http://www.wascou.org/eng/Company/Blog Technical Blog : http://share.ez.no/blogs/maxime-thomas
Trent Jurewicz	Monday 25 February 2008 7:45:51 am Gaetano- I'm curious what the effect is if the server does use https. Is it only an issue if the session goes from http to https? Would there still be a problem if the entire session used https? I am relatively new to ezPublish. I have not been able to track down much information about session management and user authentication. Can you point me the way to some documentation on the subject? Thanks!
Maxime Thomas	Monday 25 February 2008 2:19:10 pm Hi trent, Here's some things you must know, I guess : http://ez.no/doc/ez_publish/technical_manual/4_0/reference/configuration_files/site_ini/usersettings And specially : http://ez.no/doc/ez_publish/technical_manual/4_0/reference/configuration_files/site_ini/usersettings/loginhandler If you would like to developp your own login handler : http://ezpedia.org/wiki/en/ez/login_handler And going further : http://www.ezcomponents.org/docs/tutorials/Authentication And as usual : welcome to eZ ! Max Maxime Thomas maxime.thomas@wascou.org \| www.wascou.org \| http://twitter.com/wascou Company Blog : http://www.wascou.org/eng/Company/Blog Technical Blog : http://share.ez.no/blogs/maxime-thomas
Gaetano Giunta	Tuesday 26 February 2008 1:40:02 am <i>I'm curious what the effect is if the server does use https. Is it only an issue if the session goes from http to https? Would there still be a problem if the entire session used https?</i> The main problem with https is where does the encrypted session end. If the load balancer terminates the https session, forwarding http to the webserver pool then you have some nifty advantages: - you install the ssl certs on the lb only - the webservers are relieved of the ssl ciperhing load (lb will do it in hw if you buy add on cards so it is much more efficient) - since the lb can look at the decrypted request, it can apply session affinity/stickiness if he wants to If the load balancer does not terminate the https, I am not 100% sure, but what should happen is that either a) once the ssl session is initiated, it will stick to the same real webserver, since ssl operates at a level just below tcp/http headers. So it should work, but you will not be spreading the load across your server pool. Also, in case that particular webserver goes down, the client will have to hit "refresh" to initiate a new ssl session to a different one or b) the different https requests of a user session end up on different web real servers. Every time a new SSL handshake takes place, since the SSL sesssion ID from server A will not be good for server B etc, and your webservers are under very high load (and pages seen by end user slower) In any case you should definitely set keepalives on for https Principal Consultant International Business Member of the Community Project Board