For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mario_Almeida_5's avatar
Mario_Almeida_5
Icon for Nimbostratus rankNimbostratus
May 03, 2012

cookie base persistence

Hi All,

 

 

 

I have 2 virtual servers http_vs and https_vs on the same domain pointing to the same pool

 

 

 

our default web site is http but when it comes to login and purchase, users are redirected to https.

 

I want to achive cookie base session persitence with an idle timeout of 10 min.

 

 

 

Our application uses JSESSIONID as the cookie.

 

 

 

I tried with the available irule for jsessionid from here https://devcentral.f5.com/wiki/iRules.Weblogic_JSessionID_Persistence.ashx. but this do not maintain session when switched from http to https.

 

 

 

I used even this irule https://devcentral.f5.com/wiki/iRules.HttpToHTTPsCookiePersistence.ashx but issue is with application timeout.

 

 

 

So I modified the irule as below.

 

 

 

when HTTP_REQUEST {

 

 

 

This logs information about the TCP connections on *both* sides of the full proxy

 

set client_remote "[IP::client_addr]:[TCP::client_port]"

 

set client_local "[IP::local_addr clientside]:[TCP::local_port clientside]"

 

 

 

Log details for the request

 

log local0. "| REQ | $client_remote | $client_local | server_local | server_remote | [HTTP::cookie value ISASESSIONID] | [HTTP::uri]"

 

 

 

if { [HTTP::cookie exists "ISASESSIONID"] } {

 

persist uie [HTTP::cookie value "ISASESSIONID"]

 

}

 

}

 

 

 

when HTTP_RESPONSE {

 

 

 

set server_remote "[IP::server_addr]:[TCP::server_port]"

 

set server_local "[IP::local_addr serverside]:[TCP::local_port serverside]"

 

 

 

if { ![HTTP::cookie exists "ISASESSIONID"] } {

 

 

 

if { [HTTP::cookie "JSESSIONID"] ne "" } {

 

set newCookie [HTTP::cookie value JSESSIONID]

 

HTTP::cookie insert name "ISASESSIONID" value $newCookie path /

 

persist add uie [HTTP::cookie value "ISASESSIONID"]

 

}

 

}

 

log local0. "| RES | $client_remote | $client_local | $server_local | $server_remote | [HTTP::cookie value ISASESSIONID]"

 

}

 

 

 

Can someone verify if this is the best way to achive cookie base persistence with application timeout?

 

 

 

application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 03, 2012
    If it's the same pool for both virtual servers on the same domain, you can use a default cookie insert persistence profile without an iRule.

     

     

    Aaron
  • Mario_Almeida_5's avatar
    Mario_Almeida_5
    Icon for Nimbostratus rankNimbostratus
    May 03, 2012

    Hi Aaron,

     

     

     

    Default insert cookie has no option to specify timeout

     

     

    ltm persistence cookie cookie {

     

    cookie-name none

     

    expiration 0

     

    hash-length 0

     

    hash-offset 0

     

    method insert

     

    mirror disabled

     

    }

     

     

     

     

    Mario

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    May 03, 2012
    Hi Mario,

     

     

    By default LTM sets a session cookie which the client should keep in memory until the browser is closed. If you want a time expired cookie you can set the expiration.

     

     

    That said, why do you want the cookie to expire? As long as the cookie is there longer than the application's session timeout there is no harm in it being there longer. The persistence cookie has nothing to do with accessing the application after the application session expires--it just triggers TMM to send the client's requests to the same pool member.

     

     

    Aaron