In the environment with WAF and enabled authentication for the forwarded URL paths, I'm having problems with users being logged out after a few minutes at times.
An error message in /var/log/reverseproxy.log can be correlated to those events:
2015:09:16-10:55:08 waf01 reverseproxy: [Wed Sep 16 10:55:08.397809 2015] [session_crypto:error] [pid 30877:tid 4113984368] (100006)Error string not specified yet: [client *.*.*.*:61412] AH01842: decrypt session failed, wrong passphrase?, referer: https://hostname.domain.net/webapp_12345/?locale=de&project=12345
Sophos support is already notified about this issue, but their first step would be to be able to reproduce the issues with access to our system. This is difficult, as it only appears at times, about every few hours with 10 users constantly using the webapps during the day.
The very error message is mentioned in the following thread and it appears a similar situation, though I haven't found a solution yet:
Apache HTTP Server - Dev - Fwd: unsetting encrypted cookies when encryption key changes
UTM version: 9.309-3
This thread was automatically locked due to age.
