Fortinet 39 FortiWeb 5.0 Patch 6 Administration Guide
Sessions & FortiWeb HAThe table of FortiWeb client session histories is not synchronized between HA members. If a
failover occurs, the new active appliance will recognize that old session cookies are from a
FortiWeb, and will allow existing FortiWeb sessions to continue. Clients’ existing sessions will
not be interrupted.
New sessions will be formed with the current main appliance.
For more information on what data and settings are synchronized by HA, see “HA heartbeat &
synchronization” on page 40 and “Configuration settings that are not synchronized by HA” on
page 42.
Example: Magento & FortiWeb sessions during failover
A client might connect through a FortiWeb HA pair to an e-commerce site. The site runs
Magento, which sets cookies, on a server farm. To prevent session stealing and some other
session-based attacks, Magento can track its own cookies and validate session information in
$_SESSION using server-side memory.
In the FortiWeb HA pair that protects the server farm, you have enabled Session Management,
so the active appliance (FortiWeb A) also adds its own cookie to the HTTP response from
Magento. The HTTP response therefore contains 2 cookies:
• Magento’s session cookie
• FortiWeb’s session cookie
The next request from the client echoes both cookies. It is for an authorized URL, so FortiWeb A
permits the web site to respond.
Figure 6: Session initiation with FortiWeb A — Cookie added to 1st response
Let’s say you then update FortiWeb A’s firmware. During the update, the standby appliance
(FortiWeb B) briefly assumes the role of the active appliance while FortiWeb A is applying the
update and rebooting (i.e. a failover occurs).
Because the new active appliance does not know previous session history, after failover, for
existing sessions, FortiWeb will not be able to enforce actions that are based upon:
• the order of page requests in that session ID’s history, such as page order rules.
• the count or rate of requests that it remembers for that session ID, such as rate limiting per
session ID per URL,