For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Raymond_Cheung_'s avatar
Raymond_Cheung_
Icon for Nimbostratus rankNimbostratus
May 25, 2005

Can I keep persistance using Single Signon Cookie?

Can I use "Universal Persistance" with iRule to keep persistance using "Single Signon Cookie"?

 

It will be going to one virtual server with one pool and 2 node.

 

The Cookie Name is "ObSSOCookie"

 

Has anyone try this?

 

Please point me to the right direction.

 

 

Thanks

 

 

Raymond

 

 

application delivery
dev
devops
iRules

5 Replies

  • drteeth_127330's avatar
    drteeth_127330
    Historic F5 Account
    May 25, 2005
    A better way to do this is to use cookie hash persistence. To enable, it, create a persistence profile of mode cookie and specify a cookie mode of hash with a cookie name, hash offset, and hash length. If you do not know the length, you can use zero and the full value of the cookie will be used. This approach does not require an iRule. As its name suggests, the session persistence is based on a hash of the cookie value.
  • Raymond_Cheung_'s avatar
    Raymond_Cheung_
    Icon for Nimbostratus rankNimbostratus
    May 25, 2005
    drteeth,

     

     

    Thanks for the sugguestion.

     

     

    So, Cookie Hash Persistance will allow me to use the existing Single Signon Cookie and re-hash it to kill persistance.

     

    Thats sound really good.

     

     

    However, I do not think it will work for me in this case, the client is not using a browser to access the load-balance site, there for there is no way to store the cookie.

     

     

    It is a protal server accessing a portlet server, and then the portal server will re-render the information to the client.

     

    It is a server to server connection w/o a browser.

     

     

    The only thing that BigIP support and I can think of is to load-balance the connection is using the single signon cookie which is within the HTTP request, with iRule and Universal Persistence.

     

     

    Any though on how to do that?

     

     

    BigIP support only can help me up to this point on what to do, they cannot help me with the iRule.

     

     

    And I've no idea how the iRule tie into Universal Persistance.

     

     

     

    Thanks

     

     

    Raymond
  • unRuleY_95363's avatar
    unRuleY_95363
    Historic F5 Account
    May 25, 2005
    Two answers:

    First, a simple rule that does universal persistence on a cookie only ever present coming from the client would look like this: 

     
 rule signon_persist { 
    when HTTP_REQUEST { 
       persist uie [HTTP::cookie ObSSOCookie] 
    } 
 }

    Second, Dr.Teeth referred to cookie hash persistence, which is more or less the equivalent to the above. It only performs persistence based on an already present cookie. In your case, you might configure it like: 

     
 profile persist signon_persist { 
    mode cookie 
    cookie mode hash 
    cookie name ObSSOCookie 
    cookie hash offset 0 
    cookie hash length 0 
 }

    Either of these methods should work fine for persisting the same signon cookie to the same server.
  • Raymond_Cheung_'s avatar
    Raymond_Cheung_
    Icon for Nimbostratus rankNimbostratus
    May 26, 2005
    Thanks for the help!

     

    DevCentral and Dr. Teeth.

     

    I will try implement this on our next outage.

     

     

    How and where can I learn more about iRule?

     

    Is there any book or website (apart from DevCentral)?

     

     

    Thanks

     

     

    Raymond
  • drteeth_127330's avatar
    drteeth_127330
    Historic F5 Account
    May 26, 2005
    At this time, there is only DevCentral and the BIG-IP manuals. More documentation is on the way.