Fortinet 39 FortiWeb 5.0 Patch 6 Administration Guide
Sessions & FortiWeb HA
The table of FortiWeb client session histories is not synchronized between HA members. If a
failover occurs, the new active appliance will recognize that old session cookies are from a
FortiWeb, and will allow existing FortiWeb sessions to continue. Clients’ existing sessions will
not be interrupted.
New sessions will be formed with the current main appliance.
F
or more information on what data and settings are synchronized by HA, see “HA heartbeat &
synchronization” on page 40 and “Configuration settings that are not synchronized by HA” on
page 42.
Example: Magento & FortiWeb sessions during failover
A client might connect through a FortiWeb HA pair to an e-commerce site. The site runs
Magento, which sets cookies, on a server farm. To prevent session stealing and some other
session-based attacks, Magento can track its own cookies and validate session information in
$_SESSION using server-side memory.
In the FortiWeb HA pair that protects the server farm, you have enabled Session Management,
so the active appliance (FortiWeb A) also a
dds its own cookie to the HTTP response from
Magento. The HTTP response therefore contains 2 cookies:
• Magento’s session cookie
• FortiW
eb’s session cookie
The next request from the client echoes bot
h co
okies. It is for an authorized URL, so FortiWeb A
permits the web site to respond.
Figure 6: Session initiation with FortiWeb A — Cookie added to 1
st
response
Let’s say you then update FortiWeb A’s firmware. During the update, the standby appliance
(FortiWeb B) briefly assumes the role of the active appliance while FortiWeb A is applying the
update and rebooting (i.e. a failover occurs).
Because the new active appliance does not know previous session history, after failover, for
existing sessions, FortiWeb will not be able to enforce actions that are based upon:
• the order of page requests in that session ID’s history, such as page order rules.
• the count or rate of requests that it remembers for that session ID, such as rate limiting per
session ID per URL,