SSL vs Non-SSL portions of the a website

Question

How do you folks handle SSL(protected) vs non-SSL(public) content on a website while holding persistence for authed users.&nbsp;
&nbsp;We have a site where visitors can log in to view customized content or browse as a guest and see default content.&nbsp;
&nbsp;When they get to protected pages, they need to be logged in and the site needs to switch to SSL, but the rest of the site we would like to be non-SSL.&nbsp;
&nbsp;If we have two virtuals, one for port 80 and the other for port 443, but a shared pool of servers, how would we handle keeping a user with a particular server(persistence) to keep them logged in?&nbsp;
&nbsp;Lots of e-commerce sites do this, and I hope it does not have to be by replicating session data between servers...&nbsp;

hamish · Answer

You can do persistence across virtual servers with a persistence profile... There's 3 options, selectable individually to match across services, virtual servers and pools. You really just want to match across virtual servers (i.e. your port 80 and your port 443 VS). The persistence profile can be of any type (So it'd probably be cookie in your case). 
&nbsp;  
&nbsp; That should do what you want... 
&nbsp;  
&nbsp; H &nbsp;

brian_69413 · Answer

That is certainly easier than I expected...so a session cookie, for example, will hold true to a pool member even when swapping virtuals with the same pool?  What would that session cookie do for you if it was a different pool with different members in the second virtual?

hamish · Answer

What the session cookie does for you depends on whether it's set for persistence within a VS only, across a service, across VS's, or across pools... &nbsp;
&nbsp; A normal session cookie (NO matching) will be ignored by a second VS with a different pool.  &nbsp;
&nbsp; A persistence across services will ensure that the same pool behind two VS's with the same IP wil hold persistence for a client (i.e. client will hit the same poolmember for :80 and:443 on site.com). &nbsp;
&nbsp; A persistence across VS's will ensure that my1.site.com:80 and my2site.com:443 will hold persistence for a client. &nbsp;
&nbsp; A persistence across pools will ensure that even if the pools are different... &nbsp;&nbsp;Note that the membership of the default pool in this instance isn't checked... So it could lead to a security hole in your site if you don't encrypt the cookie...&nbsp;
&nbsp; H&nbsp;

hamish · Answer

The (vulnerability?|Opportunity for a more interesting life?) exists in match across pools... I don't believe it exists in match across VS and service (But haven't checked), but it's certainly worthwhile making sure that if you have persistence across anything and are using cookies, then make sure you encrypt the cookie... &nbsp;
&nbsp; H

brian_69413 · Answer

Persistence across service is all I would need.  Thanks for this insight!

Forum Discussion

SSL vs Non-SSL portions of the a website

6 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Question/Advice on iRule Remediating the Telerik (Unsafe Reflection Vulnerability (CVE-2025-3600)

Resetting to Factory Default

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Issue with IIS and Client Component Service Load balancing

Syslog Filter Configuration for Separating Audit and LTM logs.

Related Content

APM-Specific Features for Securing Your Website

Maintenance page / local website that includes subfolders

F5 Websites Accessibility Survey

Redirect Non-SSL Requests on SSL Virtual Server Rule

Troubeshooting website connection

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS