Hi,
hoping someone might be able to help us with this one as we're well & truly stumped...
we have a site that uses PHP to authenticate users against a database and allow access if the login details are correct. We then have a script on each page to make sure the user is still logged in correctly & the session is still valid as they access the individual pages. There is a 5 hour timeout set on the cookie/session.
But when our client is browsing the site she is regularly getting logged out and asked to log in again. & we only have that problem when the site is accessed by someone from the clients company on their network.
So clients' IT Dept same back with:
"The issue arises because we load balance connections to the internet.
So a user could be using one of our links to get into the site in the first place and then browse a few pages and then click on a link which will generate a new http session which may be sent out our other link. This new session will have a different source IP address than the original session (through which the user was authenticated) and I suspect this is what prompts the server to re-authenticate the user.
If secure access is required to the point where the source IP is validated with each session, then the site should use https, which will not be load balanced. If the site relies on cookies for security, then it should ignore the source IP address."
& we thought we had addressed the issue by implementing the following:
The secure cert is in place and the URL being used to access the site is https://www.somesite/com.
We have examined our authentication script and we are not relying on the IP to keep the session alive and the user logged into the site.
BUT the client is still being asked to re-login and i'm all out of ideas - any help or suggestions would be excellent as the project is now at a standstill and the frustration is building.
Thanks in advance
carrig
