For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jdewing's avatar
jdewing
Icon for Cirrus rankCirrus
Aug 12, 2015

Session issue with two different LTM/APM devices

We are experiencing issue with APM Session. The problem is that when users access to second site on a different LTM, then their session for first connected site get killed.

 

We are using two different Access Profile (LTM1 and LTM2), but using the same Domain example.com

 

Scenario: 1. User connected/logon to extranet.domain.com (LTM 1) site 2. Next user open another browser tab or window connected/logon to te.example.com (LTM2) 3. Once user go back to extranet.example.com (LTM1), session was killed. User will have to logon again or get an error about invalid session ID.

 

We would like to find a way to allow users to switch back-n-forth between sites (LTM 1 and LTM 2) without forcing them to logon again or to avoid getting Invalid session error. Is that possible?

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
LTM
security

5 Replies

  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Aug 12, 2015

    Hi,

     

    The issue is because you have the same cookie domain and the MRHSession Cookie (the cookie that APM uses to track your session) is overwritten by the 2nd APM you login into. When you go back to the first APM the cookie is from the 2nd and it doesn't know who you are since it is a value from the other APM.

     

    You can specify a more specific cookie domain in the Access Profile.

     

    Seth

     

  • jdewing's avatar
    jdewing
    Icon for Cirrus rankCirrus
    Aug 13, 2015

    I tried changing Cookie Domain name to te.example.com or example-test.com under Access Profile and getting an error "Your session could not be established". The Domain name must be example.com to work with Kerberos.

     

    I thought about creating iRule. Does anyone have an example of iRule to create a separate cookie so it doesn’t get overwritten by the first APM cookie?

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 13, 2015

    Hi,

     

    blank the cookie domain. the cookie sent in the answer will not contain domain information and the browser will record it as a cookie dedicated for the requested hostname.

     

  • jdewing's avatar
    jdewing
    Icon for Cirrus rankCirrus
    Aug 13, 2015

    We can't blank the cookie domain because we have multiple VIPs using same LTM1 to provide SSO. We don’t want user to able to logon each time they go to different site under LTM1.

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Aug 13, 2015

    The best way to authenticate once and keep authenticated on both APM is to configure SAML.

     

    You can create a VS with SAML IdP Role and each other VS are defined as SAML Service Provider.

     

    another solution is to configure multi domain cookie... but you will need to authenticate once on each APM.