Forum Discussion

Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Apr 08, 2021

From what I see you are matching the issue in and this was version 12.1.2, so it seems an expected thing:

 

https://devcentral.f5.com/s/question/0D51T00006i7hk3/domain-cookie-sso

 

 

 

Can you also check if you have set the cookie with a persistant flag as this will not work for the webtop "Persistent: Session cookie persistence functions only on BIG-IP LTM and APM deployments. For BIG-IP APM deployments with connectivity resources (such as Network Access, Portal Access, etc.), you cannot set BIG-IP APM cookies as Persistent. This is by design, as session cookie persistence can present a security risk. For some deployments of the BIG-IP APM system, as with Microsoft SharePoint, cookie persistence may be required. When you select cookie persistence, persistence is hard coded at 60 seconds."

 

https://support.f5.com/csp/article/K15387

 

 

 

Also you use domain cookie because you want an SSO, so when the user logs into the APM to also be authenticated to the backend applications without again entering credentials?

 

Did you test without SSO and domain cookie just with Global profile scope if the session is deleted when accessing the webtop after first going to the application as maybe the SSO is the reason and maybe the webtop SSO does not work corectly?

  • Daniel_Wolf's avatar
    Daniel_Wolf
    Icon for MVP rankMVP
    Apr 08, 2021

    Yes, the devcentral links sort of is matching my issue. I just wonder whether it is by design or else... I mean the devcentral question is rather old, it's related to BIG-IP 12.

     

    I dont have the Persistent flag set on my cookies.

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP
      Apr 09, 2021

      There is nothing hidden  . 🙂

      When I did not mention it in my question text, it is most likely not there.

      I am not using Network Access. Also web1 and web2 are static websites, neither is SSO configured nor it is required.

    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP
      Apr 08, 2021

      It seems a some sort of limitation on the F5 but they have not made a good article for this.

       

       

      Have you tested if the session is deleted when not using SSO and domain cookie just a global profile?

       

       

      Can you see if without the domain cookie on the access profile for the webtop if the issue is still there? My idea is that the webtop does URL redirect and maybe this breaks the SSO and maybe if the SSO fails it also impacts the session (it shouldn't but even F5 has bugs).

       

       

      Also in /var/log/apm what is the reason for the first session to the web1 or web2 to be deleted?

    • Nikoolayy1's avatar
      Nikoolayy1
      Icon for MVP rankMVP
      Apr 08, 2021

      Also you are not using Edge client Network access when connecting to the APM web1 or web2 or webtop as this may cause issues?:

       

       

      https://support.f5.com/csp/article/K11710060

       

       

      This is an interesting case and I wonder if multy domain will have the same issue as in many previous cases that I checked people try that as when this does not work.