Forum Discussion
Angelo_Iannaril
Nimbostratus
Nimbostratusauthenticated IP's and session tables
We have an iRule that needs to keep track of authenticated IP addresses across several event clauses within the iRule (as an extra security check). We're using the universal session table to achieve this, as shown below.
when CLIENTSSL_CLIENTCERT {
…
session add universal [IP::client_addr] $status $timeout
….
}
when HTTP_REQUEST {
...
if {[session lookup universal [IP::client_addr]] == $authenticated} {
}
...
}
This seems to work, but I'm not sure that this is necessarily the best approach as the session table looks like it was intended to contain SSL session IDs. Can anyone tell me whether there are any known issues with this approach? Is there a better option for storing the IP address in a commonly accessable table for a specified time period?
- JRahm
Admin
You could populate an array instead of the session table, but I'm not sure which is the bigger resource hog. You'd need to put logic in to clean up the array as the clients in question drop off, whereas the session table cleans itself up. Turn timing on both versions of the rule to evaluate the performance of each. - The session table is actually slightly more efficient than an array, but unless you're taling about huge amounts of data, there probably wouldn't be a large difference.
Elah's right, too, that the array method takes a little more care in setting/cleaning up.
Colin - Since you are using an IP address, you could actually use "source_addr" as the key to the session table. The session table uses the same keying system as the persist table. So, using the "source_addr" key type would actually be more efficient than "universal" because the IP address wouldn't get converted to string and then hashed. It would just be hashed using an IP address hash algorithm instead of of a string hash algorithm.
HTH.
