Forum Discussion
Added Internal site on F5 Webtop, now it mixes user accounts
Hi, I have internal booking website "x", which works properly when I access it directly.
I have added it in F5 webtop portal for remote users.
When remote user accesses the website and logs in with he's user, the portal or website (idk which) mixes user accounts, that is when user Y logs in from webtop, it may actually login a user Z using user T's credentials.
I'm not sure if our website X has problem itself or it is webtops fault.
Plesae suggest me something if you know this problem.
Thanks, Diamond.
- Lucas_ThompsonEmployee
These kinds of problems can be frustrating. Issues like this where one user logs in and sees another user's info is often due to caching. BIG-IP can store web responses from servers to speed access from users. Normally the web app server sends a "don't store this content!" signal to indicate that it is private, but sometimes this can be trouble with it. Review this article to adjust the BIG-IP's caching:
https://my.f5.com/manage/s/article/K14903
Another caching mechanism exists within web browsers themselves and can lead to similar symptoms. If it's the case that you have two users logging into the *same* browser and they see each-other's content, try to disable the browser's web cache. This Stack Overflow article discusses how to do that:
https://stackoverflow.com/questions/5690269/disabling-chrome-cache-for-website-development
If neither of those is the trouble, your best bet is probably to open a support ticket: https://my.f5.com/manage/s/article/K000090256
- diamondAltostratus
Hi, what do you recommend with the caching? should we change some settings / disable it or what configuration should we try?
Thanks
- Matt_DierickEmployee
diamond , I need some details 🙂
Are you using Portal Access resource type, or Webtop Link resource type ?
If users are mixed up, it means the application is trusting an IP or HTTP element which is common between the 2 APM sessions. We need to know how the Application assign a session to a user.
It can be based on an cookie, header, or something else (tcp session).
First advice : disable "one-connect" if it is enabled.
- diamondAltostratus
Hi Matt,
I'm support technician and I can't get the info from the admins to tell you unfortunatelly.
They tell me that it has nothing to do with webtop and the site's dev also tells me it's not sites problem.
I don't know but it can be website X's fault, as it lets you login using Y's credentials and then in portal it allows to see user Z's information. (doesn't this looks like the site has vulnerability?)
I upload images for more info. As you can see, 1st image, user INGA is loged in in her portal, then she wants to open"family doctor" page to see her patients and when she opens it, the 2nd page opens and it shows user DADIANIDZE's page actually and her patients.
Does it looks like f5 webtops problem or the internal site's problem? I repeat, internal website works good with cisco anyconnect and directly. the issue is only with when the users logs in with from F5 webtop portal.
Lucas_Thompson Lucas_Thompson, thanks for your info. I hope I get proper information to the admins.
- Lucas_ThompsonEmployee
Hi Diamond, because caching can cause behavior like you describe, I'd recommend disabling the cache (BIG-IP's and the browser's) temporarily to test if this is causing the bad behavior. If you're unfarmiliar with caching, please read this article: https://www.f5.com/glossary/caching
If you are using Portal Access (please read this article to understand what it is
https://my.f5.com/manage/s/article/K13425) , then try using the "no cache" setting, also explained in that article.
- Leslie_HubertusRet. Employee
Hi diamond - this seems like something you should contact F5 Support about, because they can help you get an answer more quickly than a post here.
Not sure if Lucas_Thompson or Hardeep_Kaur could help on this one? - lylawaNimbostratus
Are you utilizing the Portal Access resource type or the Webtop Link resource type?
If users are getting mixed up, it indicates that the application is relying on an IP or HTTP element common between the two APM sessions. It's crucial to understand how the application assigns a session to a user, whether it's based on a cookie, header, or another factor like TCP session.
As an initial step, consider disabling "one-connect" if it's currently enabled.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com