Forum Discussion

Kevin_Davies_40's avatar
Sep 19, 2017

Multiple Cookies/Sessions same endpoint

I have a rather unique issue. To access a backend service they come into the VS on a special URL eg. /sendto?mydept=24&myplace=23. I then issue them with an encrypted cookie, lets call it "dst" for example, using a redirect which sends them to the home page "/" on the same VS. The same iRule detects the cookie, decodes it and sends them off to their destination. This works perfectly. However when we get to multiple sessions from the same user to different backend destinations thats when we run into problems.

 

I changed the name of the cookie so I can support multiple cookies, but in a way the iRule can tell which of the cookies it needs to use. I appended the SSL session ID to the cookie name and this works as intended. The only problem I am having is multiple connections from the client to the VS keep resuing the same SSL session ID, which is per design from an SSL point of view. I need a way to rollover the session ID for new incoming sessions, eg. ones that hit the starting URL.

 

Now you have a picture of what I am trying to do, given the limitations of SSL do you think its possible? If so, how would you trigger a new SSL session id and would the clientside cope with multiple SSL session id's to the same destination?

 

  • Solved.

    Session cookies are automatically bound to the site from which they came. I can have 10 cookies of the same name each from a different site and the browser will present the right cookie depending on the site I am going to access. To solve my problem above will use different site names for each session from the same user.

    mysite.virtualserver.com A X.X.X.X
    mysite1 CNAME mysite
    mysite2 CNAME mysite
    mysite3 CNAME mysite
    mysite4 CNAME mysite
    mysite5 CNAME mysite
    

    Where X.X.X.X is address of the virtual server handling 100 web management interfaces behind it using the iRule outlined above to route traffic. The above supports 6 concurrent sessions from the same end user.

5 Replies

  • Hi,

     

    What is the goal and the expected behavior (with examples instead of long sentences)

     

    If it is done with an irule, can you share it?

     

  • Sure.

     

    Session 1 -> 302 redirect -> with cookie -> backend webmanagement console

     

    Session 2 -> 302 redirect -> with cookie -> backend webmanagement console

     

    Session 3 -> 302 redirect -> with cookie -> backend webmanagement console

     

    Session 4 -> 302 redirect -> with cookie -> backend webmanagement console

     

    Same client, multiple sessions to different backend webmanagement consoles.

     

  • Cannot share iRule but here is pseudo code.

     

    --- pseudo code ---
    if /backendselection lookup destination address
      encrypt destination address
      create headers to set cookie with encrypted address
      respond with 302 redirect and headers
      exit irule.
    
    if cookie not found
      reject connection
    
    if decrypt fails
      reject connection
    
    get ip address from decrypted cookie
    send connection to backend address
    --- end pseudo code ---
  • Hmmmm... how about if I have multiple server names which resolve to the same destination that may be enough of a discriminator. Eg mysite1/2/3/4/5.dns.name -> same virtual server IP address. That way I can align the cookie name with the fqdn name, for example "dst-mysite1", so the iRule can determine which cookie it should be decoding from the incoming host header of the session.

     

  • Solved.

    Session cookies are automatically bound to the site from which they came. I can have 10 cookies of the same name each from a different site and the browser will present the right cookie depending on the site I am going to access. To solve my problem above will use different site names for each session from the same user.

    mysite.virtualserver.com A X.X.X.X
    mysite1 CNAME mysite
    mysite2 CNAME mysite
    mysite3 CNAME mysite
    mysite4 CNAME mysite
    mysite5 CNAME mysite
    

    Where X.X.X.X is address of the virtual server handling 100 web management interfaces behind it using the iRule outlined above to route traffic. The above supports 6 concurrent sessions from the same end user.