Session timeout messages accessing cloud based HR application through WSS

book

Article ID: 225209

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Users accessing WSS via on-premise ProxySG servers forwarding traffic into WSS

Users able to access and browse most web sites without issues

Users are however unable to access sdworx.co.uk domain consistently 

Users receiving "your session has expired messages" randomly after logging into the session

Bypassing WSS and pointing to on-premise proxy IP address going direct works fine

Cause

User is bounced between multiple on-premise proxy servers that egress from different IP addresses

Back end Application getting user session data from different IP addresses and throwing error

Environment

Proxy Forwarding into WSS

Load balancer front ending on-premise Proxy servers does not have persistence enabled

Resolution

Enabled persistence on on-premise proxy to keep users session egressing from the same IP address

Additional Information

Every 10 seconds, the client App would send a keep alive probe to make sure users session was active. Assuming it was, the response would come back with a 1200 600 string (20 mins / 10 mins) as shown below

When the user would get the session timeout message, it would always proceed the following response

This was triggered by back end Cloud Application because the IP address of the inbound request would have changed, whilst the session cookies were still valid.

 

Enabling persistence at on-premise Proxy load balancer makes sure the IP address does not change.

Attachments