10.4.2 SSL ID tracking
When SSL ID tracking is enabled for requests over SSL, SSL session information is used to track the HTTP session ID.
Because the SSL session ID is negotiated between the Web browser and HTTP server, it cannot survive an HTTP server failure. However, the failure of an appserver does not affect the SSL session ID and if the distributed session is not configured, the session itself is lost. In environments that use WebSphere Edge Server with multiple HTTP servers, use an affinity mechanism when SSL session ID is used as the session tracking mechanism.
SSL tracking is supported only for the IBM HTTP Server and SUN ONE Web Server.
The lifetime of an SSL session ID can be controlled by configuration options in the Web server. For example, in the IBM HTTP Server, the configuration variable SSLV3TIMEOUT must be set to allow for an adequate lifetime for the SSL session ID. Too short an interval could result in premature termination of a session. Also, some Web browsers might have their own timers that affect the lifetime of the SSL session ID. These Web browsers might not leave the SSL session ID active long enough to be useful as a mechanism for session tracking.
When the SSL session ID is to be used as the session tracking mechanism in a clustered environment, either cookies or URL rewriting must be used to maintain session affinity. The cookie or rewritten URL contains session affinity information that enables the Web server to properly route requests back to the same server once the HTTP session has been created on a server. The SSL ID is not sent in the cookie or rewritten URL but is derived from the SSL information.