Web OS 10.0 Application GuideChapter 16: Persistence n 437212777-A, February 2002SSL Session ID-Based PersistenceSSL is a set of protocols built on top of TCP/IP that allows an application server and client tocommunicate over an encrypted HTTP session, providing authentication, non-repudiation, andsecurity. The SSL protocol handshake is performed using clear (unencrypted) text. The contentdata is then encrypted (using an algorithm exchanged during the handshake) prior to beingtransmitted.Using the SSL session ID, the switch forwards the client request to the same real server towhich it was bound during the last session. Because SSL protocol allows many TCP connec-tions to use the same session ID from the same client to a server, key exchange needs to bedone only when the session ID expires. This reduces server overhead and provides a mecha-nism, even when the client IP address changes, to send all sessions to the same real server.N OTE – The destination port number to monitor for SSL traffic is user-configurable.How SSL Session ID-Based Persistence Works All SSL sessions that present the same session ID (32 random bytes chosen by the SSLserver) will be directed to the same real server.N OTE – The SSL session ID can only be read by the switch after the TCP three-way hand-shake. In order to make a forwarding decision, the switch must terminate the TCP connectionto examine the request. New sessions are sent to the real server based on the metric selected (hash,roundrobin, leastconns, minmisses, response, and bandwidth). If no session ID is presented by the client, the switch picks a real server based on the met-ric for the real server group and waits until a connection is established with the real serverand a session ID is received. The session ID is stored in a session hash table. Subsequent connections with the samesession ID are sent to the same real server. This binding is preserved even if the serverchanges the session ID mid-stream. A change of session ID in the SSL protocol will causea full three-way handshake to occur. Session IDs are kept on the switch until an idle time equal to the configured server time-out (a default of 10 minutes) for the selected real server has expired.