Default Cookie Name Behavior

Question

I'm load balancing an application behind IBM's WebSEAL product. A User authenticates via WebSEAL which then sends the traffic to the application VIP. According to the link below, WebSEAL adds a prefix to cookie names. So, rather than seeing a cookie named "BIGipServer," I see "AMWEBJCT!BIGipServer*"

http://publib.boulder.ibm.com/infoc...min180.htm

I'm wondering what LTM will do if it receives this as the cookie name? Will it see that the name contains BIGip and do its job, or is it looking for the exact name?

hoolio · Answer

Hi Chris, 
  
 LTM will ignore cookies which it doesn't recognize.  You could rewrite it with an iRule.  Is it in requests or responses that the cookie name needs to be rewritten?  It would be easier to rewrite the request as the cookie doesn't have any properties to preserve in requests (it's just a name=value pair):

http://devcentral.f5.com/wiki/default.aspx/iRules/http__cookie
 Rename a cookie by inserting a new cookie name with the same value as the original.  Then remove the old cookie.
when HTTP_REQUEST {

Check if old cookie exists in request
   if { [HTTP::cookie exists "old-cookie-name"] } {

Insert a new cookie with the new name and old cookie's value
      HTTP::cookie insert name "new-cookie-name" value [HTTP::cookie value "old-cookie-name"]

Remove the old cookie
      HTTP::cookie remove "old-cookie-name" 
   }
}

Aaron

chris_miller · Answer

Aaron - the flow is like this: Client -&gt; VIP -&gt; WebSEAL Pool member -&gt; VIP -&gt; WebLogic Pool Member 
&nbsp;  
&nbsp; At the WebSEAL VIP, source address persistence is just fine. Since my WebSEAL Pool Members will be the devices sending traffic to the WebLogic pool, connections are essentially proxied so using an address-type persistence kills the ability to load balance requests adequately. 
&nbsp;  
&nbsp; From a cookie insertion perspective, I've enabled cookie persistence at the WebLogic VIP. Unfortunately, WebSEAL rewrites the name of the cookie per the document above. I'm exploring whether our WebSEAL team can make changes. If worst came to worst, I can come up with something using an iRule but didn't understand what options were available with the out-of-box cookie profile as I've really only ever used iRules.

chris_miller · Answer

Good news Aaron. I thought about this more and got to wondering whether WebSEAL was only renaming the cookie between itself and the client. As it turns out, that is indeed the case. When WebSEAL sends the request to the WebLogic VIP, it does so without the junction name so LTM sees the original BIGip cookie. I used an excellent example of yours to log all cookie names to confirm.

Forum Discussion

Default Cookie Name Behavior

Recent Discussions

VS FORWARDING & ROUTE

Diameter iRules attachment?

Source IP F5 DNS Zone Forwarder

F5 BIG-IP

BIG-IP Oauth Client and AS

Related Content

iRules variables in BIG-IP Next: behavior change

behavior of SSL::disable serverside

Cookie-based DDoS protection

Behavior of outbound DNS query from LTM behavior

AI Safety: Navigating Deception, Emergent Goals, and Power-seeking Behaviors

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS