Forum Discussion

Chris_Miller's avatar
Icon for Altostratus rankAltostratus
Feb 21, 2011

Default Cookie Name Behavior

I'm load balancing an application behind IBM's WebSEAL product. A User authenticates via WebSEAL which then sends the traffic to the application VIP. According to the link below, WebSEAL adds a prefix to cookie names. So, rather than seeing a cookie named "BIGipServer," I see "AMWEBJCT!BIGipServer*"




I'm wondering what LTM will do if it receives this as the cookie name? Will it see that the name contains BIGip and do its job, or is it looking for the exact name?


3 Replies

  • Hi Chris,

    LTM will ignore cookies which it doesn't recognize. You could rewrite it with an iRule. Is it in requests or responses that the cookie name needs to be rewritten? It would be easier to rewrite the request as the cookie doesn't have any properties to preserve in requests (it's just a name=value pair):

     Rename a cookie by inserting a new cookie name with the same value as the original.  Then remove the old cookie.
    when HTTP_REQUEST {
        Check if old cookie exists in request
       if { [HTTP::cookie exists "old-cookie-name"] } {
           Insert a new cookie with the new name and old cookie's value
          HTTP::cookie insert name "new-cookie-name" value [HTTP::cookie value "old-cookie-name"]
           Remove the old cookie
          HTTP::cookie remove "old-cookie-name" 

  • Aaron - the flow is like this: Client -> VIP -> WebSEAL Pool member -> VIP -> WebLogic Pool Member



    At the WebSEAL VIP, source address persistence is just fine. Since my WebSEAL Pool Members will be the devices sending traffic to the WebLogic pool, connections are essentially proxied so using an address-type persistence kills the ability to load balance requests adequately.



    From a cookie insertion perspective, I've enabled cookie persistence at the WebLogic VIP. Unfortunately, WebSEAL rewrites the name of the cookie per the document above. I'm exploring whether our WebSEAL team can make changes. If worst came to worst, I can come up with something using an iRule but didn't understand what options were available with the out-of-box cookie profile as I've really only ever used iRules.
  • Good news Aaron. I thought about this more and got to wondering whether WebSEAL was only renaming the cookie between itself and the client. As it turns out, that is indeed the case. When WebSEAL sends the request to the WebLogic VIP, it does so without the junction name so LTM sees the original BIGip cookie. I used an excellent example of yours to log all cookie names to confirm.