For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Luke_Lehman's avatar
Luke_Lehman
Icon for Employee rankEmployee
Aug 13, 2010

Cookie Insert Persistence Expiration / Timeout Setting

Forgive my ignorance with the topic, but I'm curious about the expiration / timeout settings for Cookie Insert Persistence.

 

 

In reading the F5 manuals the verbiage is as follows:

 

 

Expiration:

 

 

 

Sets the expiration time of the cookie. Applies to the HTTP Cookie Insert and HTTP Cookie Rewrite methods only. When using the default (checked), the system uses the expiration time specified in the session cookie.

 

 

My curiousity surrounds the "session cookie" part of the statement. Which session cookie is this referring to? An application session cookie or something else.

 

 

[Edit]

 

 

Further down in the doc it says this:

 

 

The expiration date for the cookie is set based on the timeout configured on the BIG-IP system.

 

 

Not sure what that means either.

 

 

[/Edit]

 

 

Thanks.
config
design

4 Replies

  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Aug 13, 2010
    When I insert a cookie without specifying the expiration, it defaults to "when browser closes" so I assume a session cookie is a cookie that expires when you close the browser.
  • Luke_Lehman's avatar
    Luke_Lehman
    Icon for Employee rankEmployee
    Aug 13, 2010
    Posted By Chris Miller on 08/13/2010 11:56 AM

     

    When I insert a cookie without specifying the expiration, it defaults to "when browser closes" so I assume a session cookie is a cookie that expires when you close the browser.

     

    Chris - thanks for the response. Yeah, I'm a little fuzzy too on what exactly the session cookie is. I know that the LTM creates a session table for connections, but am unfamiliar with the possibility of LTM having session cookies. I was under the impression that session cookies were created by the application web servers...
  • r_dynamo_79563's avatar
    r_dynamo_79563
    Icon for Nimbostratus rankNimbostratus
    Nov 16, 2012
    An F5 build for an application I'm working on has two Servers listening on port 9000 which require a cookie based load balancing method, which tranfers end-user sessions seamlessly without forceful logouts in case the Server handling the load balancing requests goes down.

     

     

    Currently, there is no SSL termination from the F5, and the SSL handshakes are handled by the Servers themselves. From my conversation at F5 support, they said that cookie insertion is not possible without SSL termination, and currently the F5 is just passing encrypted traffic to the Servers; since Inter-Server authentication is not portable among pool members, the objective cannot be fulfilled in the current scenario.

     

     

    Can SSL termination be done from the F5, along with cookie insertion with Servers listening on port 9000 (other than 80) to fullfil above objective? My goal is to fulfill above objective with minimal intervention from ServerOps or Database team to get this build ready!

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Nov 16, 2012
    Yes, you can terminate the SSL on the F5; you'll need the private key and certificate.

     

    Yes, you can then use Cookie Persistence.

     

    Yes, you can use any valid port number you'd like for the pool members, the BIG-IP will translate ports automatically.

     

     

    How will the cookie persistence method allow for seamless session transfer?