If you're a software developer, on the other hand, you'll have to consider how to handle session state for the
server cluster in order to preserve authentication credentials.
There are several mechanisms for doing this. One is through load balancing and the other involves the Microsoft Cluster Service (MCSC). In Windows Server 2003, MCSC integrates with Active Directory. It creates a virtual service object within Active Directory that allows Kerberos authentication. This object is used only for Kerberos authentication and can't be used for applying Group Policy Objects (GPO).
In other versions of Windows and Unix systems, more traditional load balancing systems are used. In general, these systems use load balancing software to distribute traffic across servers that are members of a cluster. The load balancer is assigned a virtual IP address that can represent any server in the cluster.
When requests are made to this virtual IP address, the session is preserved by the load balancer and distributed to member servers. Among the data in the session is a unique string of characters and numbers assigned after login. If someone is logged onto the Web site and hits a link that goes to another Web server in the cluster, as you describe, the load balancer automatically authenticates the user to the second Web server.
Load balancers are supposed to keep the session alive, even if the original server goes down. Again, the session is stored by the load balancer, so it isn't extinguished by the loss of any one server in the cluster.
In J2EE, for example, there are session objects associated with a servlet. The session can be shared across all the servers in a cluster, or just stored in a few that can be accessed as needed. There are multiple coding schemes for doing this that are beyond the scope of this brief tip.
Generally, once the user is authenticated to the cluster, the load balancer managing the cluster takes over maintaining the session state.
For more information:
Dig deeper on Two-Factor and Multifactor Authentication Strategies
Related Q&A from Joel Dubin, past SearchSecurity.com expert
The security of RFID chips and smart cards may not be fully mature, but there are best practices to keep facilities safe. Identity and access ...continue reading
Picture passwords for mobile device security aren't a new idea, but they have been recently improved. Identity and access management expert Joel ...continue reading
Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.