Forum Discussion
Nimbostratus[ACCESS::user getsid key]
Hi,
With reference to the documentation for Access::user
ACCESS::user getsid
Returns the list of created external SIDs which is associated with the specified key
I am wondering:
- what those valid specified keys could be?
- who has created those external SIDs by when
- is the word "external" related to the "Internal", i.e. 5dfd546f.session.key?
- what's the subtle difference between between ACCESS::uuid and ACCESS::user getsid ?
- under which situations man could have many external SIDs associated with one single key
Thanks in advance
youssef1Cumulonimbus
Hi,
You can find your need in this article:
https://devcentral.f5.com/questions/more-details-on-f5-apm-getsid-and-getkey-56668
let me know if you need more details.
regards
samdlee_305622It seems that if man could catch a hold of the right key, man could retrieve the APM session cookie for another APM session
 
set apm_cookie_list [ACCESS::user getsid $the_guessed_user_key] set apm_cookie [ACCESS::user getkey [lindex $apm_cookie_list 0]]it will be really appreciated if F5 experts could explain in details on how the external SIDs are associated with such a key and what is the name convention or requirements for that key and who comes out with such a key? Should the key contain something closely related with that concerned session, such as hashed password? How does F5 internally avoid collision for those keys across APM sessions? is it the internal session variable session.user.uuid that holds the value for the specified key?
 
@Kevin Stewart could you please shed the light on it?
 
Stanislas_Piro2Hi,
If you didn’t change user key , default value is this code
set apm_uuid "[PROFILE::access name].[ACCESS::session data get session.logon.last.username]"But you can change it like in this code
when RULE_INIT { set static::Basic_Realm_Text "Authentication Required" } when HTTP_REQUEST { if { ! [ info exists SP_PROFILE_RESTRICT_SINGLE_IP ] } { set SP_PROFILE_RESTRICT_SINGLE_IP [PROFILE::access restrict_to_single_client_ip] } if { ( [set sessionid [HTTP::cookie value "MRHSession"]] ne "" ) and ( [ACCESS::session exists -state_allow $sessionid] ) } then { Allow the successfully pre authenticated request to pass return } else { if { [ string match -nocase {basic *} [HTTP::header Authorization] ] == 1 } { set clientless(insert_mode) 1 set clientless(src_ip) [IP::remote_addr] set clientless(username) [ string tolower [HTTP::username] ] set clientless(password) [HTTP::password] if { $SP_PROFILE_RESTRICT_SINGLE_IP == 0 } { binary scan [md5 "$clientless(password)"] H* clientless(hash) } else { binary scan [md5 "$clientless(password)$clientless(src_ip)"] H* clientless(hash) } set user_key "$clientless(username).$clientless(hash)" set clientless(cookie_list) [ ACCESS::user getsid $user_key ] if { [ llength $clientless(cookie_list) ] != 0 } { set clientless(cookie) [ ACCESS::user getkey [ lindex $clientless(cookie_list) 0 ] ] if { $clientless(cookie) != "" } { HTTP::cookie insert name MRHSession value $clientless(cookie) set clientless(insert_mode) 0 } } if { $clientless(insert_mode) } { HTTP::header insert "clientless-mode" 1 HTTP::header insert "username" $clientless(username) HTTP::header insert "password" $clientless(password) } unset clientless } } } when ACCESS_SESSION_STARTED { if { [ info exists user_key ] } { ACCESS::session data set "session.user.uuid" $user_key } } when ACCESS_POLICY_COMPLETED { if { ([info exists "clientless_mode"]) && ($clientless_mode) && ([ACCESS::policy result] equals "deny") } { ACCESS::respond 401 noserver WWW-Authenticate "Basic realm=\"$static::Basic_Realm_Text\"" Connection close ACCESS::session remove } }