10.1 What is Session Broker?

If you need to have more than one Novell® iChain® box at your site, you might need Session Broker. Session Broker allows “sessions” (user authentication data) to be shared between multiple iChain boxes. This in turn lets a user authenticate only once when browsing across all of the boxes.

For example, an iChain site might contain multiple iChain servers, iChain A and iChain B, are accelerating back-end Web servers. These two iChain servers are sitting behind a layer-4 (L4) switch whose task is to load balance the http and https requests going to the iChain servers.

In this scenario, a user browses to a page on your Web site. The Web server's DNS entry resolves to the virtual IP address of the L4 switch. The L4 switch then transmits the request to the iChain A server. iChain asks the user to authenticate before granting access to the page. Once authenticated, iChain sets an iChain-specific cookie on the user's browser.

Suppose that while browsing, the user is directed by the L4 switch to a page protected by the iChain B server. Without Session Broker, the user is required to authenticate again. This is because the iChain B server has no way of knowing that the user was authenticated to the iChain A server. When a Session Broker server is running, each iChain server (acting as a client to the Session Broker server) relays information about their authenticated users if the incoming request has an iChain-specific cookie set. In the above scenario, when the user tries access a protected page through the iChain B server, the user is not already authenticated to this box, but the incoming request has an iChain cookie set. The iChain B server therefore asks the Session Broker server if the user is already authenticated to a different iChain box. If so, the user is granted access without needing to authenticate again. See Figure 10-1 for a visual diagram of this process.

Figure 10-1 Session Broker: Visual Diagram