Allow to be authenticated for multiple server at the same time.

[Et7f3]

Hello,

we want to host the same http app in multiple servers. All state of application is shared in same db.
The last piece not shared is cookie storage. Is there a replication mechanism available so we can hit either server and it works ? I thought about a shared folder but wanted check if their is a real solution.

[simo5]

Different server will be seen from the client with different names, so the actual GSSAPI authentication will have to use a different keytab for each[*] but othe than that step you can then generate a cookie that is share across multiple servers in the same domain by setting the cookie domain portion to a subdomain name rather than a specific server name.

Note that the browsers will then send that cookie to any machine they contact in that subdomain which may cause some HTTP header bloat. However cookies are encrypted so there will be no leakage of data to other machines.

As fore replication mod_auth_gssapi does not directly handle cookies, it uses the mod_session module instead, so as long as you have a mod_session module that can share these sessions across servers you should be able to share cookie.

Keep in mind that because you are sharing this storage between multiple servers and the cookie itself is encrypted you will have to use GssapiSessionKey and a key shared among all those servers as well.

Note that mod_auth_gssapi does NOT uses the mod_session_crypto facility to encrypt the cookie, so you can't configure encryption that way, and encryption of the cookie cannot be disabled, if you do not configure a key, then each server will generate a different one at runtime.

HTH

[*] you could use aliases on the KDC and configure krb5 to ignore the service name to effectively use a single key for all of them I guess, but clients will still get a different ticket for each server name.

[simo5]

I just realized that when you say "multiple servers" you mean a load-balancing situation where they all share the same name to the client, they are just distinct instances of the same server running on multiple machines.

All of the above applies except you can ignore the part about clients seeing them as distinct names and getting distinct tickets).

In addition this requires all servers to share the same keytab. Cookie storage considerations are unchanged in any case.