F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Dec 19, 2013

There are generally 3 built-in methods for session sharing:

 

  1. Domain session cookie – setting the domain attribute of the APM session cookie to a common denominator between the VIPs (ex. .example.com) will allow the browser to send this same session cookie to all of the matching host names. If there’s an active and valid session on the APM that matches this session token, then it will use this access session.

     

  2. Multi-domain mode – this mode creates a mechanism that allows APM VIPs to share session information between them. You typically configure a single “logon” VIP for authentication and configure each app VIP to redirect to the logon VIP, which then authenticates the user and redirects them back with a session token. This can be done with a domain cookie (see above) or an encrypted URI that points back to the valid session.

     

  3. Federation – APM SAML allows you to establish a trust relationship between any number of identity providers and any number of service providers. Similar to the multi-domain mode described above, a user authenticates at the identity provider and forwards a signed XML assertion to the service provider. Unlike the multi-domain mode, however, the IdP and SP can be on different boxes and actually be provided by different SAML-capable vendors.

     

The key to all of these methods is browser behavior. In order to get a browser to send a cookie generated at one host to another host, you need to make it a domain cookie, otherwise you need to insert some crafted URI, JavaScript, etc. to make the browser send information about the first host to the second.