Loosing session in certain network environments

[gebeer]

Hello,

I have a situation were a user cannot logon to several different PW installs fromdifferent machines on his workplace network.

Sometimes the initial logon is working but when navigating the PW backend he gets thrown out. Sometimes even the initial logon is not working and he is redirected too many times and the browser throws a redirection error.

This points to PW loosing it's session. But the same sites are working fine when accessed from within other network environments.

The user's workplace network has some pretty tight security (firewall) restrictions in place that prevent PW keeping it's session.

I don't know enough about network security so I can't tell what exactly could cause that problem. I checked in the browser settings to make sure session cookies are allowed and there.

Has anyone ever experienced issues like that and would there be a way to make PW keep it's session under these circumstances?

[bernhard]

i had something similar 2 times until now...

 

[BitPoet]

That would have been my guess as well. Nine out of ten times, session fingerprinting is the cause of such problems, especially with corporate networks where outgoing IP addresses may change on the fly and security solutions might change request headers to make tracking harder.

[gebeer]

thank you both for your feedback.

Is there anything we can do to work around those security restrictions?

EDIT: guess it has something to do with $config->sessionFingerprint setting. I'll play around with that.

[bernhard]

unfortunately i can only quote soma here. though it would be interesting to hear @ryan s opinion in this case...

On 20.11.2015 at 7:38 PM, Soma said:

There are no alternatives afaik. Fingerprint is sometimes too much security and creates more problems than it solves.

[gebeer]

@bernhard I'll see what I can do with the $config->sessionFingerprint settings to avoid these problems. Although I don't feel comfortable messing with security features...

[szabesz]

 

1 hour ago, BitPoet said:

especially with corporate networks where outgoing IP addresses may change on the fly and security solutions might change request headers to make tracking harder.

Reminds me of this one:

Is it a similar or same issue? I'm not quite sure, that's why I'm asking.

"They have two VDSL lines into the building that feed their router through a load balancer. It seems that their setup meant that responses to outbound traffic did not necessarily come back in via the same line."

[arjen]

2 hours ago, BitPoet said:

[...] especially with corporate networks [...]

This. We've ran into this on so many occassions I have disabled IP addresses from the fingerprint in all our configs.

1 hour ago, gebeer said:

Although I don't feel comfortable messing with security features

I initially felt the same. Then I realised: you are taking one brick of the security wall. There are probably more issues with human errors like people with bad passwords or outdated computers prone to trojans and such.

[gebeer]

The problem in my case is that this project will have more than 2000 users that will logon from all over the world.

So I guess I will have to disable session fingerprinting to make sure that everyone can connect without issues.

[arjen]

2 hours ago, gebeer said:

disable session fingerprinting

You don't entirely have to disable it, just fingerprint the browser for instance. There are several options. See this commit in wire/config.php by ryan.