Forum Discussion
CirrusPrevent Concurrent User Logins In LTM with iRule
HEllo,
We are serving an web application to just internal users over client ssl and clear text in the back end.
However we see that when the same user logs in from 2 different machines, both those logins are allowed, can we control this and log the user out of the previous session when he logs in again?
We only have the LTM module and it seems this is possible using irules.
https://devcentral.f5.com/questions/how-to-limit-concurrent-sessions-in-a-ltm-using-irule
How to Limit concurrent sessions in a LTM using Irule - https://devcentral.f5.com/questions/ltm-irule-to-manage-users-sessions-like-apm-does-54897
I'm kinda new to irules so any help really appreciated.
Thanks.
Lee_SutcliffeNacreous
You could do this a few ways, essentially you need to record the IP address and some other unique information. Just recording an IP address may cause issues if people are coming from a NATed source. So you could record IP address and SSL session ID for example (if using SSL), or perhaps JSESSIONID.
To record these, you could could write them to the session table as mentioned in one of the links in your post and validate them against incoming connections. Or you could write information into a cookie and check the contents against incoming connections.
I've just knocked up the following (untested) iRule that may give you an idea of what you could do. It will check if there is an existing cookie and reject connections that differ to what is in the cookie. You could respond with an error, or perhaps redirect the user to a sorry page. If a cookie doesn't exist, it is assumed to be a new connection, so a flag is set which is read on HTTP_RESPONSE and sets a cookie if set.
If you decide to use a cookie, you may want to consider encrypting it, this can be done in the HTTP profile quite easily.
when HTTP_REQUEST { set sessionCookie myCookie set sessionCookieValue "[SSL::sessionid]:[IP::client_addr]" set sslSessionId [SSL::sessionid] set flgSetCookie 0 check if cookie exists and cookie is not blank if {([HTTP::cookie exists $sessionCookie]) && ([HTTP::cookie value $sessionCookie] ne "")} { set cookieSid [getfield $sessionCookieValue ":" 1] set cookieIP [getfield $sessionCookieValue ":" 2] if {($cookieSid ne $sslSessionId) || ($cookieIP ne [IP::client_addr])} { log local0. "Request does NOT match cookie data - Rejecting" reject } } else { set flag to create cookie on HTTP_RESPONSE set flgSetCookie 1 } } when HTTP_RESPONSE { set cookie if it does not exist if {$flgSetCookie eq 1} { HTTP::cookie insert name $sessionCookie value $sessionCookieValue } }