Jump to content

Loosing session in certain network environments


gebeer
 Share

Recommended Posts

Hello,

I have a situation were a user cannot logon to several different PW installs fromdifferent machines on his workplace network.

Sometimes the initial logon is working but when navigating the PW backend he gets thrown out. Sometimes even the initial logon is not working and he is redirected too many times and the browser throws a redirection error.

This points to PW loosing it's session. But the same sites are working fine when accessed from within other network environments.

The user's workplace network has some pretty tight security (firewall) restrictions in place that prevent PW keeping it's session.

I don't know enough about network security so I can't tell what exactly could cause that problem. I checked in the browser settings to make sure session cookies are allowed and there.

Has anyone ever experienced issues like that and would there be a way to make PW keep it's session under these circumstances?

  • Like 1
Link to comment
Share on other sites

That would have been my guess as well. Nine out of ten times, session fingerprinting is the cause of such problems, especially with corporate networks where outgoing IP addresses may change on the fly and security solutions might change request headers to make tracking harder.

  • Like 3
Link to comment
Share on other sites

thank you both for your feedback.

Is there anything we can do to work around those security restrictions?

EDIT: guess it has something to do with $config->sessionFingerprint setting. I'll play around with that.

  • Like 1
Link to comment
Share on other sites

unfortunately i can only quote soma here. though it would be interesting to hear @ryan s opinion in this case...

On 20.11.2015 at 7:38 PM, Soma said:

There are no alternatives afaik. Fingerprint is sometimes too much security and creates more problems than it solves.

Link to comment
Share on other sites

 

1 hour ago, BitPoet said:

especially with corporate networks where outgoing IP addresses may change on the fly and security solutions might change request headers to make tracking harder.

Reminds me of this one:

Is it a similar or same issue? I'm not quite sure, that's why I'm asking.

"They have two VDSL lines into the building that feed their router through a load balancer. It seems that their setup meant that responses to outbound traffic did not necessarily come back in via the same line."

  • Like 1
Link to comment
Share on other sites

2 hours ago, BitPoet said:

[...] especially with corporate networks [...]

This. We've ran into this on so many occassions I have disabled IP addresses from the fingerprint in all our configs.

1 hour ago, gebeer said:

Although I don't feel comfortable messing with security features

I initially felt the same. Then I realised: you are taking one brick of the security wall. There are probably more issues with human errors like people with bad passwords or outdated computers prone to trojans and such.

  • Like 1
Link to comment
Share on other sites

The problem in my case is that this project will have more than 2000 users that will logon from all over the world.

So I guess I will have to disable session fingerprinting to make sure that everyone can connect without issues.

  • Like 2
Link to comment
Share on other sites

2 hours ago, gebeer said:

disable session fingerprinting

You don't entirely have to disable it, just fingerprint the browser for instance. There are several options. See this commit in wire/config.php by ryan.

  • Like 3
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...