Forum Discussion
APM Session deleted when following link Webtop Link to Application URI
From what I see you are matching the issue in and this was version 12.1.2, so it seems an expected thing:
https://devcentral.f5.com/s/question/0D51T00006i7hk3/domain-cookie-sso
Can you also check if you have set the cookie with a persistant flag as this will not work for the webtop "Persistent: Session cookie persistence functions only on BIG-IP LTM and APM deployments. For BIG-IP APM deployments with connectivity resources (such as Network Access, Portal Access, etc.), you cannot set BIG-IP APM cookies as Persistent. This is by design, as session cookie persistence can present a security risk. For some deployments of the BIG-IP APM system, as with Microsoft SharePoint, cookie persistence may be required. When you select cookie persistence, persistence is hard coded at 60 seconds."
https://support.f5.com/csp/article/K15387
Also you use domain cookie because you want an SSO, so when the user logs into the APM to also be authenticated to the backend applications without again entering credentials?
Did you test without SSO and domain cookie just with Global profile scope if the session is deleted when accessing the webtop after first going to the application as maybe the SSO is the reason and maybe the webtop SSO does not work corectly?
Yes, the devcentral links sort of is matching my issue. I just wonder whether it is by design or else... I mean the devcentral question is rather old, it's related to BIG-IP 12.
I dont have the Persistent flag set on my cookies.
- Daniel_WolfApr 09, 2021MVP
There is nothing hidden . 🙂
When I did not mention it in my question text, it is most likely not there.
I am not using Network Access. Also web1 and web2 are static websites, neither is SSO configured nor it is required.
- Nikoolayy1Apr 08, 2021MVP
It seems a some sort of limitation on the F5 but they have not made a good article for this.
Have you tested if the session is deleted when not using SSO and domain cookie just a global profile?
Can you see if without the domain cookie on the access profile for the webtop if the issue is still there? My idea is that the webtop does URL redirect and maybe this breaks the SSO and maybe if the SSO fails it also impacts the session (it shouldn't but even F5 has bugs).
Also in /var/log/apm what is the reason for the first session to the web1 or web2 to be deleted?
- Nikoolayy1Apr 08, 2021MVP
Also you are not using Edge client Network access when connecting to the APM web1 or web2 or webtop as this may cause issues?:
https://support.f5.com/csp/article/K11710060
This is an interesting case and I wonder if multy domain will have the same issue as in many previous cases that I checked people try that as when this does not work.
- Daniel_WolfApr 09, 2021MVP
Update: I will try with Multi Domain Cookie and I will try to validate my setup against this:
Manual Chapter : Single Sign-On and Multi-Domain Support
In case all that will not bring any success, I will most likely open a support case.
- Juergen_MangMay 20, 2022MVP
Today I stumbled upon the exact same problem. Have you found a solution?
- Juergen_MangMay 23, 2022MVP
Update: I tried multi-domain mode and it works out of the box.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com