IIS 7 and IIS 7.5 Output Cache Session Swapping

Document ID : KB000019250
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Session Swapping has been observed in IIS7.5 with IWA and web agent versions r12 SP3 CR12 to r12.5 CR3. This is the result of changes in cache/pipelining changes in IIS7.5.

The IIS pipeline implementation in IIS 7.0 and IIS 7.5 output cache will cache all 'set-cookie' response headers for a given resource request. Because the caching is agnostic of application logic, keeping this cache enabled with SiteMinder will result in swapped user sessions for users accessing the same resources. Note that this same session swapping issue can occur with non SiteMinder web based applications which rely on cookies for session management as well.

Solution:

A fix is available in the r12.5 CR4 (175588/175911) and r12.51 CR1 (171158) releases. Corresponding fixes are planned for the r12.0 SP4 CR0 and r12.52 CR0 releases. Two workarounds have been outlined below.

Workarounds

  • Change HTML request pipelining to classic mode.
  • Disable user output caching in IIS. (NOTE: Our testing found that disabling kernel output cache to be sufficient, however, our recommendation is to disable both the user and the kernel output caches.)

Details of Fix

A new agent ACO parameter "IISCacheDisable" has been added in r12.51 CR1. Setting "IISCacheDisable=yes" disables both the user cache and the kernel cache for any SiteMinder response which has a 'set-cookie' in it.

The specific Microsoft API calls used are:
     HttpResponse->DisableKernelCache();
     HttpResponse->DisableUserCache();

Questions and Answers

Question 1. According to Microsoft article (http://support.microsoft.com/kb/817445), ISAPI filters are not cache-aware by default. Does SiteMinder ISAPI filter use the defaults or change any settings related to caching such as FilterEnableCache?

The web agent for IIS 7 and IIS 7.5 had not used the IIS cache APIs prior to the releases mentioned above. This change was introduced to simplify and ensure that the user and kernel output caches are disabled for any SiteMinder 'set-cookie' response.

--------

Question 2. For Modules in IIS 7.x, the logic in caching is different. Does the SiteMinder web agent version r12.5 for IIS have any settings related to caching?

From an article at www.ksingla.net:
     "The existing IIS6 user-mode file cache, token cache, URI cache, metadata
     cache and kernel-mode http.sys response cache are mostly unchanged in IIS7
     [...]. Native output cache is the new user mode response cache added in
     IIS7. This module provides similar functionality as provided by the managed
     output cache module in ASP.NET. Functionality of this module can be
     controlled by editing system.webServer/caching section or by using
     IHttpCachePolicy intrinsic. Following properties can be set in
     system.webServer/caching section."

The IISCacheDisable ACO parameter was added to 12.51.

--------

Question 3. The ordered list of modules in any r12.5 installation for IIS 7.x shows the agent modules listed last. This according to Microsoft documentation implies that the module is going to be executed last. But according to CA's documentation the web agent has the highest priority. How can this be verified?

Modules register themselves with IIS to be inserted into the pipeline based on the types of events they listen to.

The SiteMinder IIS7 module implements the following request processing events:
RQ_AUTHENTICATE_REQUEST (post event notification) and
RQ_EXECUTE_REQUEST_HANDLER

The Output Cache Module implements the following request processing events:
RESOLVE_REQUEST_CACHE, and UPDATE_REQUEST_CACHE

Order of modules only matters when two modules (IIS Output Cache Module and SiteMinder Agent Module for example) are set up to handle the same IIS event types. Since these are different event types, order of the modules will not make a difference here. Good documentation on IIS7 is here:
http://technet.Microsoft.com/en-us/library/dd163535.aspx

http://www.iis.net/learn/get-started/introduction-to-iis/iis-modules-overview

In comparison with IIS7, the SiteMinder ISAPI60 module implements the following request processing events:
SF_NOTIFY_PREPROC_HEADERS,SF_NOTIFY_AUTHENTICATION,SF_NOTIFY_LOG

--------

Question 4. As this issue was exclusively observed on r12.x-IIS 7.x platform in integrated mode and not in classic mode, was the ACO parameter IISCacheDisable sepecifically introduced in r12.51 web agents for IIS 7.0 and IIS 7.5 to address the caching issue when IIS is running in integrated mode?

In the Microsoft Classic pipeline there is an 'output cache' functionality which is available within the asp.net dll - however since the web agent filter sits above asp.net, SiteMinder intercepts cache reads.

In the Microsoft Integrated pipeline, the output cache was implemented within new Output Cache Module - because SiteMinder implements different request processing events than the output cache module, the output cache module is still getting called.

NOTE: Users are able to experience cache session swapping issues without SiteMinder enabled at all. See the article "Sessions and Output Caching" http://msdn.Microsoft.com/en-us/magazine/cc163577.aspx. This article seems to point to a known issue: http://support.Microsoft.com/kb/917072

Related Discussion: Session Swapping with Application Level Load Balancers

Very similar session swapping behavior can also occur when application level caching is introduced between the browser and the web server/web agent in which both pages and http outgoing headers are cached. Hardware Load Balancing products will often include this functionality out of the box, therefore it is important to be aware of whether this feature is being deployed in default configurations. A known solution for this behavior is listed below:

In general ISAPI filters can pass HTTP headers back up the pipeline to instruct modules upstream and browsers to either cache or not cache a particular request EG Expires: -1 or Pragma: No-Cache. SiteMinder can set HTTP headers using the following two ACO settings (note that these settings apply to all pages or none for a particular agent):

ExpireForProxy
     Prevents a client from caching content (pages and potentially headers or
     cookies). When the value of this parameter is set to yes , the Web Agent
     inserts one of the following HTTP headers into the HTTP response:
     Expires: Thu, 01 Dec 1994 16:00:00 GMT
     Cache-Control:no-cache

ProxyHeadersAutoAuth
     Specifies the value of an HTTP 1.1 header that the Web Agent inserts into
     an HTTP response to a client when the ExpireForProxy parameter in the Web
     Agent Configuration is set to yes. The value of this header determines if
     or for how long the auto-authorized resource is cached.
     Default:
     Expires: Thu, 01 Dec 1994 16:00:00 GMT