Forum Discussion
AltostratusIs there any way, in an iRule, to see if an APM session exists using the regular SID format?
Hi. Does anyone know any way to look up an APM session based on session ID? When I say session ID, I am talking about the session ID format found throughout the product's GUI, report pages, etc (and also the LastMRH_Session cookie). Here is an example of the SID format I mean: 0b75aaa4.
When I look in the iRule wiki, I see this code example given for seeing if a session exists:
when HTTP_REQUEST {
set apm_cookie [HTTP::cookie value MRHSession]
if { $apm_cookie != "" && ! [ACCESS::session exists $apm_cookie] } {
HTTP::respond 401 WWW-Authenticate "Basic realm=\"www.example.com\""
return
}
}But the MRHSession cookie doesn't hold just the SID. It holds a value that looks something like this, where only the last few numbers represent the actual session ID: MRHSession=43158eb2be350a409739137c0b75aaa4.
I've tried putting a regular SID into the "ACCESS::session exists" command, but it always returns false. It only seems to work when using the longer MRHSession command format. Is there any command that exists that takes the regular format, or any way to make this command use the regular format?
10 Replies
Making a guess here, I would say most likely not. The APM uses a session ID that is very long to make it very hard to guess. If you were able to locate the same session by only using 8 characters, it would mean that the rest are insignificant and an attacker can hijack the session much easier.
HTH.
brad_11480Nimbostratus
well, I just realized that the first 24 characters can be anything-- it only looks and uses the last 8 even though it requires it to be 24.. I just put 'x' and 'z' for the first 24 and it is just fine.
kunjanWill this help?
when HTTP_REQUEST { if { ! [ ACCESS::session exists -state_allow -sid [HTTP::cookie MRHSession] ] } { ..... } }- Algebraic_Mirror
Cirrostratus
@Kunjan: Thanks, but no, that won't help, because in my scenario the MRHSession cookie is deleted. I only have the "LastMRH_Session" cookie, which has the shorter 8 character number.
@John: I believe the 8 characters are unique though, because again, they use them literally everywhere inside the product, such as in all the reports, in the "Manage Sessions" screen, etc. Those eight characters are even on every single web request as the "LastMRH_Session" cookie. Yes, the F5 seems to salt it when putting it in the MHRSession cookie to prevent an attacker from forging a request, but it only does that for HTTP requests. Internally in the system it seems to be the unsalted eight characters everywhere, and I'd just like to find a way to look it up using that widespread format.
Any other ideas?
- kunjan
..in my scenario the MRHSession cookie is deleted. I only have the "LastMRH_Session" cookie, which has the shorter 8 character number.
Just curious what scenario are you having? If it's deleted wouldn't this considered as an invalid session?
AlgebraicMirrorYes, it would be considered an invalid session. Which causes the APM to start up a new session. But I don't want a new session; I just want the traffic dropped. Here's the specific scenario: there's a race condition in the latest Exchange CAS iApp for Exchange/OWA 2013. What happens is that oftentimes after you signout, and the APM removes your session, other browser threads will still be in the process of firing off a last HTTP request for content from OWA (the browser doesn't stop them instantly; they are not stopped until after your redirect to the hangup page is complete). In some cases, they don't submit the MRHSession cookie because the hangup page erases it, but they are still in flight in the browser thread and still get fired off at the last second. When they hit the APM, the APM sees that session no longer exists, so it starts a new one. It also records the URL they requested (often a javascript file or some other such) in a session variable so that it can redirect to that after the user finishes logging in. This is all background stuff the user doesn't see. But then, if the user hits the "start new session" link on the hangup page, they will get an error saying a session is already in progress, and they will get sent to the APM login page to complete authentication. After they complete authentication, they will get redirected to a javascript resource rather than the OWA homepage, because that earlier late breaking request for a resource created a new session and set the redirect variable to that resource. This breaks the OWA app for that user. So I need to be able to look things up by the 8 digit ID in an iRule so that I can discard the traffic before it creates a new session, because in some cases that 8 digit ID is literally the only thing I have that could distinguish valid traffic from invalid traffic.
kunjan_118660Cumulonimbus
..in my scenario the MRHSession cookie is deleted. I only have the "LastMRH_Session" cookie, which has the shorter 8 character number.
Just curious what scenario are you having? If it's deleted wouldn't this considered as an invalid session?
- AlgebraicMirrorYes, it would be considered an invalid session. Which causes the APM to start up a new session. But I don't want a new session; I just want the traffic dropped. Here's the specific scenario: there's a race condition in the latest Exchange CAS iApp for Exchange/OWA 2013. What happens is that oftentimes after you signout, and the APM removes your session, other browser threads will still be in the process of firing off a last HTTP request for content from OWA (the browser doesn't stop them instantly; they are not stopped until after your redirect to the hangup page is complete). In some cases, they don't submit the MRHSession cookie because the hangup page erases it, but they are still in flight in the browser thread and still get fired off at the last second. When they hit the APM, the APM sees that session no longer exists, so it starts a new one. It also records the URL they requested (often a javascript file or some other such) in a session variable so that it can redirect to that after the user finishes logging in. This is all background stuff the user doesn't see. But then, if the user hits the "start new session" link on the hangup page, they will get an error saying a session is already in progress, and they will get sent to the APM login page to complete authentication. After they complete authentication, they will get redirected to a javascript resource rather than the OWA homepage, because that earlier late breaking request for a resource created a new session and set the redirect variable to that resource. This breaks the OWA app for that user. So I need to be able to look things up by the 8 digit ID in an iRule so that I can discard the traffic before it creates a new session, because in some cases that 8 digit ID is literally the only thing I have that could distinguish valid traffic from invalid traffic.
- kunjan
Have you tried extending the "
" to longer duration?Logout URI TimeoutMay 5 23:35:00 bigip6 notice tmm[11855]: 01490518:5: 8ecddd3a: Session will be deleted in 60 secs due to user logout request.
May 5 23:36:22 bigip6 notice tmm[11855]: 01490501:5: 8ecddd3a: Session deleted due to user logout request. - brad_11480
just put 24 characters in front of the 8 and it will be just fine.
