Forum Discussion
rookief5_79098
Nimbostratus
NimbostratusiRule for application cookie with LTM and APM
Hello
I wonder if anyone can help. I work for a company that has just acquired some LTMs and APM module.
I have a web application that I intend to protect with APM.
We want to use an external logon facility that will allow users to access the web app. This seems straight forward in APM. Throw up a logon page, http post etc.
But our authentication service will generate two cookies.
The first will create the authentication cookie - I guess APM sorts that out?
The second is a session cookie used to maintain sessions with the web app after successful logon.
Neither of these must ever be passed back to the users browser.
However, if a session drops I need to allow the user to rejoin that session without creating a new one.
havent used irules much so is this something that sounds possible? I guessing some HTTP-RESPONSE events...
Thanks
James K
- So you want the cookies to exist, but not be stored in the client, and be stateful across multiple connections by the same client if they drop and re-join? Sounds hairy, but possible. You'd need to store the info in memory and associate it with the client somehow. I assume there's some unique identifier that you already have laid out to accomplish this?
Colin 
N_65943Hi
I have a similar requirement. At first, I thought I could use Cookie Remove - but that would probably break the session/app and not possible.
We then tried to look at maybe using the F5 to encrypt the cookie, thus securing it on the client.
However, the customer is quite sure they want it to not reside on the client at all! Therefore needing some way to use a session table + cookie "store".
Since we're looking at APM we we're thinking MRHsession cookie...
The requirement is that the two cookies from the app, one is used for Authenticaton has been accepted (so APM for example can use that in the HTTP SSO Creds for successful Auth) and the other contains something quite specific for the application...
... which is to control the session timeout of that user.
So... I think our require is like yours James.
Colin - any ideas here?
Seems to be stretching the reverse proxy function somewhat...
Wand_97484Hi,
I think you will need one information about the APM session at the client (e.g. Cookie). Unfortunally you can't access all of the APM session information from the HTTP_REQUEST/_RESPONSE events.
I had a similar problem because I need to send the current Username in a Header for each request to the backend. I posted my iRule at:
http://devcentral.f5.com/wiki/default.aspx/iRules/insert_Header_for_APM_Policy.html
The iRule sets a crafted cookie to the client after succesful Authentication (APM) and extracts the information from it during HTTP events.
Not sure if there is a way without crafting your own cookie.
Asim_SharfuddinHi,
I have some of my application hosted in DR and HO and APM does the single sign on. when I connected to HO, I am able to do a single signon to all my application, but the application which are in DR APM presents the authentication page and I am logged out of HO. since HO and DR uses same MRHsession and LastMRH_session cookie I beleive this is the possible cause of session logout.
Is it possible to rename the default APM cookie, such that I can login to HO and DR at the same time?
Best Regards,
Asim Sharfuddin
MandrakeHi,
In single domain mode, if you specify a cookie name, you will face problem accessing applications in same domain from different DCs, one simple way to fix that would be to remove domain info from the policy which makes cookies host based, downside: SSO across different hostnames in same domain will not work.
Thanks