Safari cannot load balance with https

Question

Level 1

0 points

Safari cannot load balance with https

I am a developer for a web site which runs ASP.NET pages on Windows Server 2003, IIS 6.0. We use Basic Authentication and HTTPS.

We are using a load balancing solution to distribute the load to 4 web servers.

We have been using this setup for over 5 years with IE and Firefox/Mozilla/Netscape browsers.

Recently I have been asked to make Safari browsers work with our site ... MAC, Windows and iPhone versions.

On all 3 platforms I am seeing the same problem ...

The load balancer uses the SSL 3.0 Session ID to determine if the requests to the site are coming from the same client (browser) and thus will ensure that all requests from that browser go to the same web server.

This works fine with IE, Firefox ... it does not work with any version of Safari. When the load balancer gets a request from a single Safari browser session, it sends the requests to multiple servers, causing issues with the pages returned.

If I run Safari with an HTTP debugger ... like Fiddler (where it uses a proxy server) ... Safari works fine.

Some questions:
1. Does Safari expose the SSL 3.0 session id in the same manner as the other browsers ... i.e. an un-encrypted version of the header.
2. Does Safari send many concurrent requests? Firefox and IE limit concurrent requests to 2.
3. Could Safari be timing out it's SSL 3.0 session id frequently or quickly?
4. Is there a reason Safari does not send the http Basic Authentication header with every request once it authenticates with a particular realm?
3. Are there any other possible causes of this problem?

What do you think?

DELL, Windows XP Pro

Posted on Oct 22, 2008 2:17 PM

Reply

Answer 1

Oct 23, 2008 6:48 AM in response to foobar64

I haven't experienced any problems like this with server session IDs.

The Session ID remains the same, even if the Session is cleared.

I'm not sure what an "SSL 3.0 Session ID" is... sounds client-side. The server-side Session ID might be the way to go.

Reply

Answer 2

foobar64 Author

Level 1

0 points

Oct 23, 2008 10:20 AM in response to Reverse_Parn

Thank you for your reply.

The session server id is being maintained by Safari and when the connections are kept on a single server (like when I use Fiddler's proxy to connect) it works fine.

The SSL 3.0 Session ID is part of the SSL handshake which is used to establish an https connection. It is established between the browser and the web server as part of encypting the traffic.

As I understand it ... part of the SSL 3.0 protocol is to include an un-ecrypted header along with the encrypted data.

Our load balancing sofware is using a portion of this header (as it is un-encrypted and thus it can read it) to establish when requests are coming from the same web browser. This is the SSL Session ID.

If the Session ID is the same, it will send all traffic to the same web server ... as it knows it is the same web browser.

The problem arises in that the load balancer is not able to indentify requests from the same Safari browser as part of the same secure session.

So I am trying to understand what Safari is doing within the SSL header ... as it is not normally visible to standard web debugging tools ... they only show the http headers.

Unfortunately I cannot easily change out the load balancing software or change it to use session state ids. I am trying to understand how Safari handles this to determine strategies to resolve this issue ... and thus allow my client base to use their Safari browsers to access out service.

What do you think?

Reply

Answer 3

Oct 25, 2008 11:02 AM in response to foobar64

Click Develop -> Show Web Inspector.

Also try Network Timeline.

Reply