Forum Discussion
Lee_Sutcliffe
Nacreous
NacreousSession persistence - reading application set cookie
Hi,
We have out-sourced some developers who have written an application in their development load balanced environment however I do not think they use F5.
Now the application has been deployed to our pre-production environment and it doesn't work. This is related to the fact that after a form submission, the app sends an HTTP 302 which has the effect of starting a new session, the request hits another web server in the pool and the app breaks. We have cookie persistence and source address affinity configured for the vip.
Now the developers are adamant that our LTM should be able to read the cookie that is set by the application so that it ensures the sessions remain on the correct servers.
In the 302 the following cookie is set:
Set-Cookie: AUTHTOKEN=jl0fvjb5xrnj40l4qybi55lh; path=/; secure; HttpOnly
However I am not aware of any way that the LTM can interpret this in order to direct traffic to the appropriate server.
We've asked the developers to go back and re-code the application but given their reluctance to do so and time constraints in releasing the product I think an F5 solution would be quicker.
Any advice would be greatly appreciated.
Thanks
Lee
natheCirrocumulus
Lee,
The LTM can indeed inspect the cookie in the response and persist accordingly, using Universal Persitence. See askf5 post:
http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7392.html
Hope this helps,
N
Lee_SutcliffeThanks Nathan that looks like just the thing I'm after.
I'll give it a whirl and see if I can get it to work.
Cheers
Lee- Lee_SutcliffeI've added the following iRule (there is existing code which directs traffic to different pools depending on the uri. To keep things simple I've removed these parts of the code)
However I get a TLC error:
TCL error: qa_xxx_rule - wrong args: should be "persist add uie | { [any [virtual|service|pool] | pool ]}" while executing "persist add uie [HTTP::cookie "AUTHTOKEN"]"
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] equals "uriString" } {
if { [HTTP::cookie exists "AUTHTOKEN"] } {
persist uie [HTTP::cookie "AUTHTOKEN"]
use pool xxx-pool
}
}
}
when HTTP_RESPONSE {
if { [HTTP::cookie exists "AUTHTOKEN"] } {
persist add uie [HTTP::cookie "AUTHTOKEN"]
}
} - natheLee,
See this post:
https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/39/aft/33490/showtab/groupforums/Default.aspx
Hoolio suggested this error was because the cookie returned no value.
See if that post helps
N - Lee_SutcliffeHi Nathan,
I saw the same post and yes, got similar results in the log output however when I examine the request headers there is a string associated with the cookie
Cookie: AUTHTOKEN=5tl25i4mbghhwz5sruhqcc2j - natheLee
Not entirely sure on this one then. It seems the f5 cannot read the cookie value.
Not sure if this is the "fix" but doing some checks on universal persistence it's recommended to have a OneConnect profile too. Worth a try.
Rgds
N - nitass
Employee
Cookie: AUTHTOKEN=5tl25i4mbghhwz5sruhqcc2ji think it should be set-cookie rather than just cookie since persist add uie is in HTTP_RESPONSE event. - natheLee
The example on F5's website has the Response event first, then the Request. May be worth a try. It makes sense that it should be this way round.
N - Lee_SutcliffeHi, sorry for my late reply, it's been one of those days!
I've amended the rule so the response is first but still no joy
when HTTP_RESPONSE {
if { [HTTP::cookie exists "AUTHTOKEN"] } {
persist add uie [HTTP::cookie "AUTHTOKEN"]
}
}
when HTTP_REQUEST {
if { [string tolower [HTTP::uri]] equals "xxx" } {
if { [HTTP::cookie exists "AUTHTOKEN"] } {
persist uie [HTTP::cookie "AUTHTOKEN"]
use pool QA_xxx-pool
}
}
}
receive the same error in the ltm log:
Jul 17 21:39:24 local/tmm1 err tmm1[5129]: 01220001:3: TCL error: threeSixtyOnline_rule - wrong args: should be "persist add uie | { [any [virtual|service|pool] | pool ]}" while executing "persist add uie [HTTP::cookie "AUTHTOKEN"]" - Lee_SutcliffeI've re-enabled all 6 servers in the pool and tried the following irule, copied from Hoolio's post in https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/39/aft/33490/showtab/groupforums/Default.aspx
This seems to be working but to be honest irules aren't my strong point and I dont know why it's working.
Is anyone able to give a break down
of the following, in particular what the set lbsicap section does
when HTTP_REQUEST {
cookie length is greater than 0
if { [string length [HTTP::cookie "AUTHTOKEN"]] > 0 } {
persist uie [HTTP::cookie "AUTHTOKEN"]
} else {
set lbsicap [findstr [HTTP::uri] "AUTHTOKEN" 11 ";"]
if { $lbsicap != "" } {
persist uie $lbsicap
}
}
}
when HTTP_RESPONSE {
if { [string length [HTTP::cookie "AUTHTOKEN"]] > 0} {
persist add uie [HTTP::cookie "AUTHTOKEN"]
}
}
Thanks