Default Cookie Name Behavior

Question

I'm load balancing an application behind IBM's WebSEAL product. A User authenticates via WebSEAL which then sends the traffic to the application VIP. According to the link below, WebSEAL adds a prefix to cookie names. So, rather than seeing a cookie named "BIGipServer," I see "AMWEBJCT!BIGipServer*"

http://publib.boulder.ibm.com/infoc...min180.htm

I'm wondering what LTM will do if it receives this as the cookie name? Will it see that the name contains BIGip and do its job, or is it looking for the exact name?

hoolio · Answer

Hi Chris, 
  
 LTM will ignore cookies which it doesn't recognize.  You could rewrite it with an iRule.  Is it in requests or responses that the cookie name needs to be rewritten?  It would be easier to rewrite the request as the cookie doesn't have any properties to preserve in requests (it's just a name=value pair):

http://devcentral.f5.com/wiki/default.aspx/iRules/http__cookie
 Rename a cookie by inserting a new cookie name with the same value as the original.  Then remove the old cookie.
when HTTP_REQUEST {

Check if old cookie exists in request
   if { [HTTP::cookie exists "old-cookie-name"] } {

Insert a new cookie with the new name and old cookie's value
      HTTP::cookie insert name "new-cookie-name" value [HTTP::cookie value "old-cookie-name"]

Remove the old cookie
      HTTP::cookie remove "old-cookie-name" 
   }
}

Aaron

chris_miller · Answer

Aaron - the flow is like this: Client -&gt; VIP -&gt; WebSEAL Pool member -&gt; VIP -&gt; WebLogic Pool Member 
&nbsp;  
&nbsp; At the WebSEAL VIP, source address persistence is just fine. Since my WebSEAL Pool Members will be the devices sending traffic to the WebLogic pool, connections are essentially proxied so using an address-type persistence kills the ability to load balance requests adequately. 
&nbsp;  
&nbsp; From a cookie insertion perspective, I've enabled cookie persistence at the WebLogic VIP. Unfortunately, WebSEAL rewrites the name of the cookie per the document above. I'm exploring whether our WebSEAL team can make changes. If worst came to worst, I can come up with something using an iRule but didn't understand what options were available with the out-of-box cookie profile as I've really only ever used iRules.

chris_miller · Answer

Good news Aaron. I thought about this more and got to wondering whether WebSEAL was only renaming the cookie between itself and the client. As it turns out, that is indeed the case. When WebSEAL sends the request to the WebLogic VIP, it does so without the junction name so LTM sees the original BIGip cookie. I used an excellent example of yours to log all cookie names to confirm.

Forum Discussion

Default Cookie Name Behavior

Recent Discussions

Update OWASP score task failed.

Standby Has Fewer Online VIPs Than Active – Requires Manual Monitor Reset

Doesn't serverside ssl disable iRule work in SSLO?

Is there any way to recover the ASM statistics?

DDoS Two-Layer Architecture

Related Content

Default wideip/pool behavior?

Cookie

vcmp system factory default

Default gateway pool persistence

changing DEFAULT ciphers v14.x

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS