Forum Discussion
THASIN
Nimbostratus
Nimbostratushttp to https cookie persistence
Hi ALL,
Creating persistence record based on IP address using custom made irule as specified in the link below, Is there any randomness or variance or uniqueness in the persistence record. input to MD5 or SHA 1 is IP address it can be same for two different clients hitting the same node for the first time. Shall we consider to add randomness in the persistence record? or is it ok.
Please comment
https://devcentral.f5.com/wiki/iRul...tence.ashx
Regards
Insitha
hooleylistCirrostratus
Hi Thasin,
As the cookie value is just used to persist clients to the same pool member, you actually want it to be specific to the pool member, not the client session. This is more efficient for TMM as there are fewer records to store in memory.
Here's an updated version of the Codeshare iRule which uses a lighterweight CRC32 checksum.
If you're on 11.x you can use this version:rule cookie_persist_http_plus_s { Check if there is a cookie and use persistence table if the entry does not exist, loadbalance and create record when HTTP_REQUEST { if { [HTTP::cookie value "bIPs"] ne "" } { persist uie [HTTP::cookie value "bIPs"] set need_cookie 0 } else { set need_cookie 1 } } when PERSIST_DOWN { This event will only work in 11.0+. Ask F5 Support for details on BZ225436 for details. Server that UIE peristence pointed to was down set need_cookie 1 } Calculate CRC32 checksum of the server's IP and store it as a cookie and create persistence record when HTTP_RESPONSE { if { $need_cookie } { HTTP::cookie insert name "bIPs" value [crc32 [IP::server_addr]] path "/" persist add uie [HTTP::cookie value "bIPs"] } } }
v10.x version which sets the cookie on every responserule cookie_persist_http_plus_s { Check if there is a cookie and use persistence table if the entry does not exist, loadbalance and create record when HTTP_REQUEST { if { [HTTP::cookie value "bIPs"] ne "" } { persist uie [HTTP::cookie value "bIPs"] } } Calculate CRC32 checksum of the server's IP and store it as a cookie and create persistence record when HTTP_RESPONSE { HTTP::cookie insert name "bIPs" value [crc32 [IP::server_addr]] path "/" persist add uie [HTTP::cookie value "bIPs"] } }
Aaron- hooleylistAlso, you can open a case with F5 Support to request F5 support persistence across virtuals/services/pools for cookie insert persistence referencing BZ273815.
Aaron 
Mario_Almeida_5Hi Aaron,
As per my understanding crc32 [IP::server_addr] will always give same value for a given string/ip.
What if you need to timeout the session after idle timeout of 10 min?
You have 2 members in a pool and 6 users.
Asume that crc32 value for membes is as follows
member 1 value is 3079cfbf
member 2 value is 1b549c7c
user ->
member1 ->
12 ->
23 ->
14 ->
25 ->
16 ->
2As per above users 1, 3 and 5 will go to member 1 and users 2, 4 and 6 will go to member 2. With respect to this, user 1, 2 and 3 will get their cookie value as 3079cfbf and user 2, 4 and 6 will get 1b549c7c.
As of start all the usres are accessing the site, after a while user 1 having session id as 3079cfbf stops accessing but leaves the browser open. mean while user 3 and 5 having session id as 3079cfbf keep accessing the site. After 15 min user 1 retruns back. In this case having the browser open the session remains same so it will not timeout.
How to handle such a situation?
Mairo
Michael_YatesHi Mario,
The behavior that you are describing is the default behavior of the F5 injected cookie. It is a Session Cookie that lives for the session of the browser, not the Application Session.
So until the user closes the browser the server affinity to server selected upon the initial connection (and stored in the F5 Session Cookie), the user will be persisted to the same server.
Hope this helps.- hooleylistThis is just for persistence. You want to ensure the persistence record is maintained for at least as long as the user's session. But there shouldn't be any downside to having the persistence record there for longer than a user's session. As you only have one persistence record per pool member, they could stay in the persistence table indefinitely with almost no impact on BIG-IP memory.
Aaron - Mario_Almeida_5Hi Arron,
I have modified the iRule for our application timeout.
====================================================================
when HTTP_REQUEST {
This logs information about the TCP connections on *both* sides of the full proxyset client_remote "[IP::client_addr]:[TCP::client_port]"set client_local "[IP::local_addr clientside]:[TCP::local_port clientside]"Log details for the requestlog local0. "| REQ | $client_remote | $client_local | server_local | server_remote | [HTTP::cookie value ISASESSIONID] | [HTTP::uri]"if { [HTTP::cookie exists "ISASESSIONID"] } {persist uie [HTTP::cookie value "ISASESSIONID"]}}
when HTTP_RESPONSE {
set server_remote "[IP::server_addr]:[TCP::server_port]"set server_local "[IP::local_addr serverside]:[TCP::local_port serverside]"if { ![HTTP::cookie exists "ISASESSIONID"] } {if { [HTTP::cookie "JSESSIONID"] ne "" } {set newCookie [HTTP::cookie value JSESSIONID]HTTP::cookie insert name "ISASESSIONID" value $newCookie path /persist add uie [HTTP::cookie value "ISASESSIONID"]}}log local0. "| RES | $client_remote | $client_local | $server_local | $server_remote | [HTTP::cookie value ISASESSIONID]"}
====================================================================
I use the original weblogin irule from devcentral for jsessionid but it dint work when maintaining persistence from http to https switch.
Actually I am new to iRule. If you can help me to optimise the above irule except the log entry will be great.
- hooleylistHi Mario,
Can you create a new post and add detail on your overall scenario and what you're trying to accomplish? Do you have an HTTP and an HTTPS virtual server on the same domain name? Do you want to persist clients across HTTP and HTTPS with cookies?
Thanks, Aaron