It is very likely that I will leave out some important details, but here is our issue.
Setup:
IIS8 server #1 in DMZ (reverse proxy):
- Requires SSL, Requires client certificates (using PKI obviously)
- AAR with URL Rewrite, server variable captures CERT_SUBJECT and puts in a server variable
- Authenticaiton set to anonymous
- Rewrite redirects to internal server over port 80
IIS8 server #2 - internal
- Authentication set to anonymous
- Authentication handled by DJANGO/CGI implementation (which I don't know much about yet)
- CERT SUBJECT matched with database entry for authenticaiton/authorization
PROBLEM:
Everything typicallys works fine, however if two users login within a short period of time (I think it is seconds), the first users session will be hijacked by the 2nd users session, and the first user will be logged in as the 2nd user. Somehow the session state of the first user is not being maintained.
I'm still working on the exact scenario that produces this, but I can generally recreate it about 50% of the time.
At this point, I need help in narrowing down whether this is an issue with the reverse proxy server, the internal web server or the implementation of DJANGO on the internal web server.
Any recommendations on how best to proceed?
Thanks.