-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Christophe,
On 12/2/13, 8:53 AM, Dehaudt, Christophe wrote: > On 11/29/13, 8:55 PM, Dehaudt, Christophe wrote: >> I don't believe you can have the F5 manage any part of the >> authentication. But you can use (expiring!) sticky >> load-balancing. I've never used an F5 but I suspect that you can >> use a combination of lb-generated cookie + server-generated >> cookie to achieve a "unified stickiness". What you want is the >> following: >> >> 1. 2-step authentication has both steps going to the same server >> (can use F5's cookie for stickiness) >> >> 2. Subsequent authenticated requests go to that same server (can >> use Tomcat's cookie for stickiness) >> >> 3. All stickiness expires when the user's authenticated session >> expires. Since HTTP-DIGEST authentication does not have a >> standard way to de-authenticate a client, you'll have to figure >> out when this happens. I would use the invalidation of the >> session cookie to trigger a reset of the F5's stickiness cookie. >> I'm not sure how to actually do that with an F5. > > I believe I already do 3 (clearing the LB cookie, every X mn), but > this solution is client side, meaning everybody must be a good > citizen. I would prefer a solution that enforces the policy = LB or > server side Just set the expiration-date of the cookie (on the server) to be 2 minutes? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSnLVOAAoJEBzwKT+lPKRYC8IP/3icAeE5gDbGniNz5sstQ0Td Yo8ZccqHejVBHH7lqtTkCzjQZGYSFtLJXb1BzV+HvHXtluprIkT4ASFJr51sXwN+ GoeKjOABTC+ThVb8209XZSxg7CnEgEsP14W9HiOCdu3Vv4YNALM6cgokc/WTQYyq Zqn/MipE2eKjxN5C9K4PeYn6YmNxEk0G9JKfNGDWO/sjBrW0q4/Z4ozcUBg9kR1X qbf+9Pbrdk8uXzEtrvmPTs0qGp3DcjA//4d/DGCbmCWJwV6luwblvgw11++0qmz0 zjkX+DnyipP9tliE+Rl2Y7M7fdwr4hGAVweyAazL6V1q/fXsik2BeCtZJVq3QE23 H3WhZQIefR9j7+mF7qdVNAJN/lZVIynuKf32sReQHjg5nGFCd/Dp79TZdSXL6yvQ f0Sb4NaQvBzQD03Nv4wx8KLTaQAQSc0Y5bKuZefCsjdxQbCU6HQiMn0hb7xV5SXi cOfbf3a/6VD7IlxxqpRV2JDZ63VqYb2I9zKXydUL5hx/dazcChkSpGKFigQttifN StNDwgIWOs4YNzPyLaCEK1rDGRGtkAN2TskfRdR2eXRC/YHsLtHmXJcbK3tUt6ny /20uA+UxTgkjzTBd8ij6RapNwCtMeE8cB09rrxp4YiOIBT5Bj91ZQP0xg9b8/mYq 6/yl8K9R/SUZ1OGb1RxK =hmOu -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
