Forum Discussion

Dusty_Camp's avatar
Icon for Altocumulus rankAltocumulus
Feb 13, 2024

Exchange Webmail Mailbox Hopping

I have setup an Exchange virtual server that hosts webmail for my external users. It uses APM to authenticate and manage the session before passing it off to my internal F5. This all works through a Netscaler just fine and my internal users have no issues. When going through the F5 with APM on it I have this weird issue where a user can hit refresh and all of a sudden they're in someone else's mailbox! Huge issue really. Example: I'm logged in as John Smith. I'm clicking around in my inbox and it gets slow. I hit refresh in my browser and now I'm in Jane Johnson's mailbox and I can read all of her mail. 

It's not consistent either. Sometimes it happens and sometimes it doesn't. It's not always the same mailbox I end up in either. Anyone ever seen this before? 

1 Reply

  • Additional info: I dug through the debug logs today and very clearly found that the F5 APM is reusing active session IDs for other users. Pretty wild, honestly. Of all the eight digit values that it could use it seems to be reusing the same ones. I had around five users logged in at the time of the issue and I see one single user that hops around three other session IDs that were active for other users. 

    I also found a particular log message that may be of interest here. I think that number in bold is a hash value. If that's true, I'm seeing that same hash value in another session ID, which would indicate a hash collision. I haven't confirmed that the value is a hash though. Still trying to find that in the docs. 

    -Feb 13 09:03:05 debug websso.1[22102]: 014d0052:7: /AppName/ProfileName:AppName:3e530281:init webssoConfig from data: 0x7ff454047c18, len: 614