Forum Discussion
APM Session deleted when following link Webtop Link to Application URI
Hi all,
I have three virtuals:
and each virtual has a separate APM Profile (Type: All, Scope: Global, Domain Cookie: mydomain.com, Login Page + AD Auth).
The webtop has two Webtop Links (Type: Application URI) for web1 and web2
When I login to web1, I can switch to web2, no further auth is required. No matter if I open web2 in the same tab or in a different tab. This also works the other way round, authenticating first to web2 and then opening web1.
But when I login to web1 and next I open webtop.mydomain.com, my session is deleted and I have to authenticate again to both (web1 and webtop).
Also when I login to webtop and I click on the links to web1 or web2 the same happens. My access session for webtop is deleted and I have to login to webtop and web1/web2.
I traced it so far, that the browser is sending the correct cookie to https://web1.mydomain.com/. But when it redirects to /my.policy the session is deleted.
Is this the expected behaviour when mixing webtop and webtop links scenarios? Or am I hitting a bug? BIG-IP Version is 15.1.2.1
Thanks in advance & KR
Daniel
From what I see you are matching the issue in and this was version 12.1.2, so it seems an expected thing:
https://devcentral.f5.com/s/question/0D51T00006i7hk3/domain-cookie-sso
Can you also check if you have set the cookie with a persistant flag as this will not work for the webtop "Persistent: Session cookie persistence functions only on BIG-IP LTM and APM deployments. For BIG-IP APM deployments with connectivity resources (such as Network Access, Portal Access, etc.), you cannot set BIG-IP APM cookies as Persistent. This is by design, as session cookie persistence can present a security risk. For some deployments of the BIG-IP APM system, as with Microsoft SharePoint, cookie persistence may be required. When you select cookie persistence, persistence is hard coded at 60 seconds."
https://support.f5.com/csp/article/K15387
Also you use domain cookie because you want an SSO, so when the user logs into the APM to also be authenticated to the backend applications without again entering credentials?
Did you test without SSO and domain cookie just with Global profile scope if the session is deleted when accessing the webtop after first going to the application as maybe the SSO is the reason and maybe the webtop SSO does not work corectly?
Yes, the devcentral links sort of is matching my issue. I just wonder whether it is by design or else... I mean the devcentral question is rather old, it's related to BIG-IP 12.
I dont have the Persistent flag set on my cookies.
There is nothing hidden . 🙂
When I did not mention it in my question text, it is most likely not there.
I am not using Network Access. Also web1 and web2 are static websites, neither is SSO configured nor it is required.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com