Forum Discussion
Nimbostratussessions without session cookies
Hi !
I'm writing an access policy for a legacy SOAP webservice. Clients are stateless, they do not recognize session cookies and do not resend them on subsequent requests. Clients do send a basic auth header with every request.
A client will sends thousands of requests over a short period of time. I would like to (but am unable to) set up APM to:
- not create a new session for each request
- recognize previously authenticated users by the basic auth string they send with each request
I have tried to set Default Persistence Profile to universal and control the sessions with the persist uie api. But I am unable to prevent creation of a new session for each request.
Example iRule
I tried to simplify and found that even if I hardcode the persist string to "foo" a new session is always created:
when HTTP_RESPONSE {
persist add uie "foo"
log local0. "persist add foo"
}
when HTTP_REQUEST {
persist uie "foo"
log local0. "uie lookup: [persist lookup uie "foo"]"
}
Each request will create a new session and log:
persist add foo
uie lookup: 1 Reply
Ingebrigt_MaursI got advice from Per Bøe and was able to adapt the approach in default iRule
_sys_APM_activesyncThe trick was to
- create a user_key from the basicauth header
- On ACCESS_SESSION_STARTED, write the user_key to session.user.uuid:
ACCESS::session data set "session.user.uuid" $user_key - On subsequent HTTP_REQUEST's, find matching sessions by
and reuse themACCESS::user getsid $user_key
