Closed mariash closed 7 months ago
Can you please explain why the same behaviour cannot be achieved by having the server set the configured sticky session cookie (e.g. JSESSIONID
) and using the already existing functionality?
Can you please explain why the same behaviour cannot be achieved by having the server set the configured sticky session cookie (e.g.
JSESSIONID
) and using the already existing functionality?
With NTLM + Kerberos based Integraded Windows Authentication, the authentication logic happens at a core library level for .Net, rather than something the application can control. No cookies can be set until after the auth has been successful. Sticky session cookies work great after the fact, but unfortunately not for IWA.
@mariash thanks for the fixes. I have to say I feel uneasy about this change, it adds a lot of logic for a niche use-case. NTLM is not an internet standard because it introduces state to an otherwise stateless protocol like HTTP. It clearly wasn't designed with reverse-proxies like Gorouter in mind. So, to me it would have been better to add a flag for enabling the protocol in the routing-release, probably also with operator configuration options for the VCAP cookie which are now hard-coded.
The entire session handling will eventually have to move to its own middleware, I really don't like it in round tripper. Sessions don't work for websockets for example, because they are a different code path. (See this issue for that)
I will accept the changes for now, with a major refactor of the session logic on my mind.
@domdom82 FYI, we added a config flag for enabling/disabling this in https://github.com/cloudfoundry/gorouter/pull/393 and https://github.com/cloudfoundry/routing-release/pull/387.
thanks @geofffranks !
When server responds with
WWW-Authenticate: Negotiate
, save VCAP_ID cookie on response to client so that subsequent request withAuthorization: Negotiate ...
will be directed to the same application instance.See RFC-4559
[X] I have viewed signed and have submitted the Contributor License Agreement
[X] I have made this pull request to the
main
branch[X] I have run all the unit tests.
[ ] (Optional) I have run Routing Acceptance Tests and Routing Smoke Tests
[ ] (Optional) I have run CF Acceptance Tests