When you use Internet Explorer to browse through several secure Web pages on a Web site that use the HTTPS protocol, you may experience the following symptoms:
- The Secure Sockets Layer (SSL) session is disconnected, and you are prompted to retype your credentials for the Web site.
- You lose your SSL session ID because SSL renegotiation occurs.
This problem occurs when one of the following conditions is true:
- You move from one secure Web page to another secure Web page before the first Web page has finished loading in Microsoft Internet Explorer 6 or in Windows Internet Explorer 7.
- An Internet Information Services (IIS) Web server is using SSL session IDs for load balancing of IIS Web server connection requests.
When you open a new Web page, Internet Explorer stops downloading page elements for the previous page. Internet Explorer sends a TCP RESET message, and it closes all the active TCP connections for the previous page. After Internet Explorer closes all the active TCP connections, it opens new TCP connections to the new page. This problem occurs when you click a hyperlink while objects are still being downloaded.
If a new HTTPS connection is initiated while a HTTPS Web page is in the SSL handshake phase of the TCP connection negotiation, the TCP RESET message causes an abnormal end to the SSL handshake. This behavior causes the SSL cache for the SSL session ID to be purged. A new connection is then established that causes a full SSL handshake and that uses a new SSL session ID. This is the default behavior for Internet Explorer.
To work around this problem in Internet Explorer, increase the MaxConnectionsPerServer value to handle more than two concurrent HTTP or HTTPS connections. The default value is to use two connections.
For more information about how to increase the number of connections, click the following article number to view the article in the Microsoft Knowledge Base:
How to configure Internet Explorer to have more than two download sessions
Internet Information Services
The following workarounds are for secure Web pages and for secure Web sites that are served from an IIS Web server. You can perform similar workarounds on non-IIS Web servers.
- Reduce the effect of this problem by preventing users from moving to another Web page while the current Web page is still loading. For example, you can use a DIV tag to show the new page in the onload event.
- Reduce the occurrence of this problem by increasing the content expiration period on the IIS Web server so that the Web page will remain cached for several days.
- Use TCP/IP load balancing instead of SSL session ID load balancing. Visit the following Microsoft Web site for more information about TCP/IP load balancing:
Article ID: 937480 - Last Review: September 28, 2011 - Revision: 2.0
- Windows Internet Explorer 7 in Windows Vista
- Windows Internet Explorer 7 for Windows Server 2003
- Windows Internet Explorer 7 for Windows XP
- Microsoft Internet Explorer 6.0
|kbssl kbconnectionfailures kbbrowsing kbcache kbexpertiseinter kberrmsg kbhowto kbprb KB937480|