HTTPS session reset after one hour of utilisation (HTTP session seems OK)
Reported by
manuel.v...@gmail.com,
Nov 20
|
||||||||||
Issue descriptionChrome Version: 70.0.3538.110 (Build officiel) (64 bits) OS Version: Windows 6.1 (Windows 7, Windows Server 2008 R2) URLs (my test page): https://www.cogibot.com/chrome_test.jsp Other browsers tested: Safari: FAIL (version 5.1.7 (7534.57.2) for PC, but I consider this (as older versions) have a deprecated session handling. Firefox: OK IE/Edge: OK What steps will reproduce the problem? 1. Browse my secured (https) test page at https://www.cogibot.com/chrome_test.jsp 2. Wait one hour 3. A new session will be created What is the expected result? Same session should be kept for ever What happens instead of that? A new session is created passed one hour ! Additional information: UserAgentString: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.110 Safari/537.36 No issue with Firefox. Chromium seems to work properly with a non secure (http) test page on same server : http://www.mevb-informatique.com/chrome_test.jsp Cordially, Manuel
,
Nov 20
,
Nov 20
Please include a chrome://net-export log, as described at https://www.chromium.org/for-testers/providing-network-details In general, this sounds like a server-side issue. A chrome://net-export will confirm.
,
Nov 20
,
Nov 20
,
Nov 20
,
Nov 21
Find here a chrome://net-export log
,
Nov 21
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 23
I have set SSL level log on server side and it appears the problem is caused by a connection reset while writing TLSv1.2 data !
,
Nov 26
In the netlog, I see that it makes a new https connection every 20 seconds, and the https connections usually use TLS resumption, but on the one hour mark I see that the request is not resumed:
t=3618539 [st=269] -SSL_CONNECT
--> cipher_suite = 49199
--> is_resumed = false
--> next_proto = "unknown"
--> version = "TLS 1.2"
If your server is using TLS session resumption to track user sessions, that would explain that. Chrome intentionally reuses TLS sessions only for a limited time.
HTTP obviously does not have TLS session resumption, so your server must be doing something else (cookies?). That would explain why the behavior is different between HTTP and HTTPS.
When I loaded your test site I saw the https version did not set any session cookie. The sites aren't loading for me anymore, so I can't confirm what the http site does.
So I'm thinking this is working as intended, you'll need to address this server side by changing how you implement sessions on HTTPS connections. Let us know if that analysis was correct or if I missed anything.
,
Nov 27
Hi Matt, On the sever side I have disabled TLS resumption and enabled cookies for SSL session tracking (instead SSL certificate) and voilĂ ... ...no more connection resets with HTTPS scheme. You nailed it, I owe you a beer! I have also read that paper (https://www.theregister.co.uk/2018/10/19/tls_handshake_privacy/) which basically says that "The most effective technique is to disable TLS session resumption in browsers completely". Am I right to think that Chrome still uses TLS resumption only for compatibility reasons (because it's less secure) and is it planned to be disable on the future? I thank you very much, Manuel P.S. Are the sites still unavailable for you?
,
Nov 27
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Nov 27
,
Nov 27
> Am I right to think that Chrome still uses TLS resumption only for compatibility reasons (because it's less secure) and is it planned to be disable on the future? No.
,
Nov 28
Ok. Could someone remove this issue as it not seems valuable? Thanx |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by manuel.v...@gmail.com
, Nov 20