Solved

SSL renegotiation in IE8 and above causes session loss and logout

Posted on 2014-04-06
15
2,206 Views
Last Modified: 2014-04-07
I have an issue with IE8 and other later versions with a website that requires a login over SSL / https. The issue is that when first logged in and after clicking a link the browser loses the session and logs me out. After the second login all is fine. This only seems to effect some IE browsers running on Windows and not others. The website is running on a LAMP server.

This seems to be very similar to the issue at http://support.microsoft.com/kb/937480 (although the Internet Explorer versions are older) but changing this setting made no difference.

Any ideas please? Other browsers eg FF, Chrome, seem to be fine.
0
Comment
Question by:ncw
  • 8
  • 7
15 Comments
 
LVL 61

Expert Comment

by:btan
ID: 39982205
SSL renegotiation has a security problem e.g.  CVE-2009-3555 that that servers supporting old type of renegotiation are vulnerable to data injection.

Reference to Microsoft Security Advisory: Vulnerability in TLS/SSL could allow spoofing - Internet Explorer: When you browse Web sites that require client certificate authentication, but not site-wide client certificate authentication, you may not successfully be able to connect.

If your servers do not use client (or mutual) authentication, you don’t need this patch as it disable the renego at server end. Also your server isn’t anyway going to accept a renegotiation request since it is not supposed to do that. But if there is the reneg is disabled hence the "side-effect" may occur.

Notes
If the DisableRenegoOnClient subkey is present and has any nonzero value:
-The client will not initiate renegotiation.
-The client will not respond to renegotiation.

If the DisableRenegoOnClient subkey is missing or is present and has a zero value:
-The client will initiate renegotiation.
-The client will respond to renegotiation.

if your web server is reachable via public internet, you may want to check using ssltest to surface any security issues
0
 
LVL 1

Author Comment

by:ncw
ID: 39982392
I think I've used the term 'renegotiation' here before I've understood it's significant meaning, and I'm not what that is. The symptom is that some IE8+ browsers will not maintain the login session over SSL without logging in a second time. If SSL is disabled the login session is maintained; it seems like there's an issue maintaining the initial session with some IE browsers when transferring between https and http; other browsers appear to be ok.

Thank you for the SSL test link.
0
 
LVL 1

Author Comment

by:ncw
ID: 39982445
Maybe Fiddler will help me analyse.
0
 
LVL 61

Expert Comment

by:btan
ID: 39982596
Indeed fiddler 2.0 can help to get the session as user is browsing. Need to set as your local proxy. Error on response from server will gives us some leads for start. Likewise using this with other browser going thru the same can highlight the differences.

But do note that for ssl intercept fiddler will need to act like man in the middle using its cert on behalf of browser client. It should not impact though since we interested in https to http transition debugging

I also suspect the use and persisting of sessiin using session id or cookies, we may lookout for those in the response and return request action.
0
 
LVL 1

Author Comment

by:ncw
ID: 39982602
The fact that some IE browsers don't seem to give trouble and others do suggested to me that an IE configuration setting might be the cause, so I thought I might try to compare registry settings if they are not to dispersed.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39982671
Rightfully for ssl persistent session, sslid in cookie is not lasting as renegotiation will occur as if it is new session. Actually if it is https transit to http, the session should be tear down as security good practice and you may look into single sign on instead for the user transparency.

coming back, you may want to catch this Limitations of SSL stickiness

Users have also reported similar behavior when clicking on links that open new tabs within the browser. This behavior is also documented in the Microsoft knowledgebase.

You experience connection problems when you use Internet Explorer to browse through pages on a secure Web site:
http://support.microsoft.com/default.aspx/kb/937480

Internet Explorer’s inconsistent behavior serves as a warning that SSL stickiness relies on obedient behavior by the client browser to function properly. Since application developers and network administrators cannot guarantee that all clients are running a specific browser or version, and since servers can also become the culprits in forcing session ID renegotiations, SSL stickiness is generally deemed unreliable.
0
 
LVL 1

Author Comment

by:ncw
ID: 39982729
This is now getting highly technical and over my head. Seems to me there could be many factors involved including browser settings, router configurations, etc. What can the solution be for a web developer designing a cross-browser login system that uses sessions switching between http to https to http?

Even though all the other browsers and most IE browsers (all versions IE8 and over) seem to work, if one is to cater for all users then it seems the whole site will need to be served via https if it is to be reliable.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 61

Expert Comment

by:btan
ID: 39983072
That is ideal case to be fro developer and rather tough esp to be all browser compatible and keeping up with each version. But as mentioned pls do consider the single sign on and if need to have a proxy fronting the web server to handle it transparently to the web server. Robust testing is critical and to optimise the testing effort, you can check out  - browsershots is a good attempt and more mentioned here (include plugin and tools)

But most of the time, Microsoft IE will be the most hardcore and that should be the first to validate prior to Chrome, FF, Opera etc. So will also encourage you to check this tips related MS IE and sharing cross browser development standard and interoperability test

likewise we cannot neglect security and OWASP is well respected community actively contributing to secure web code development from the practitioner and experts, see the contributed cheatsheets (e.g. session mgmt and auth mgmt etc) on securing web appls further and in put in place the secure lifecycle process.
0
 
LVL 1

Author Comment

by:ncw
ID: 39983218
Not sure what you mean by 'single sign on' in this context; the website only requires the customer to log in once if it's working correctly, but with the effected IE browsers they have to log in twice.

Also not sure what you mean by 'a proxy fronting the web server to handle it transparently'.
0
 
LVL 61

Expert Comment

by:btan
ID: 39983282
Pardon me.

single sign on (SSO)  - the outcome is to ensure user key in once and accessible throughout the domain, which as mentioned is already what you are doing. Actually I am seeing the SSO indirectly also can tap on password wallet based scheme that recognised the site and will automatic "shoot" in the credential and sign in. Here is another mean for achieving "SSO" in configuring the various browser

proxy - use of appl delivery control or proxy based type that inspect the request and use it web metadata to perform session stickiness, e.g. F5 session persistence or HAproxy for session handling
0
 
LVL 1

Author Comment

by:ncw
ID: 39983329
I think we need to bring the level of complexity down to the context concerned which a shopping cart system; Other shopping cart systems must have come across such issues and hopefully solved them in an economic way.
0
 
LVL 61

Expert Comment

by:btan
ID: 39983371
understand that complexity is enemy of security too. probably back the troubleshooting to sieve out the session handling via the various browser. hope the links shared so far can help and I know there are quite a fair amt to delve in
0
 
LVL 1

Author Comment

by:ncw
ID: 39983473
Thanks for the links, although I don't think it's going to help me solve this problem much because it's impractical to do a PhD on security just to solve a log in/log out issue for a few IE users (life's too short). So my best hope is to do a few tests, compare settings, compare other shopping cart log in code, and use a process of elimination.
0
 
LVL 1

Author Closing Comment

by:ncw
ID: 39983479
Not a solution but thanks for the discussion.
0
 
LVL 61

Expert Comment

by:btan
ID: 39984767
noted thanks
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Introduction If you're like most people, you have occasionally made a typographical error when you're entering information into an online form.  And to your consternation, the browser remembers the error, and offers to autocomplete your future entr…
Do you come here a lot? Are you lazy like me and don't want to go through the "trouble" of having to click your Dock's Safari icon and then having to click your Experts Exchange Favorites bookmark to get here? Well then this article is for you.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now