For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Oct 20, 2009

UIE Session questions about timeouts...

A couple of questions about sessions (Using the session command) and timeouts...

 

 

1. When a session times-out, are you supposed to get an AUTH_ERROR event?

 

This seems to happen, but not at the timeout. It seems to be hard-coded to

 

5 minutes? (When using a timeout of 60 seconds).

 

 

2. Is there a supported way to reset the time on an added session?

 

 

I can add a new session with

 

 

session add uie

 

 

and get the current value with

 

 

session lookup...

 

 

The docs to say just touching the session SHOULD reset the how timeout. I want to

 

implement this as an idle timer... Not as an absolute time. Lookups don't seem to

 

reset the timer (As you'd expect).

 

Is the supported (Correct) way to reset the timer just to attempt to re-add the

 

session again overtop of the existing session key? (problem 1 seems to be masking

 

my testing of this).

 

 

 

TIA

 

Hamish.
application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 20, 2009
    Hi Hamish,

     

     

    I think the auth timeout and UIE session timeout are two independent values. The auth profile has an idle timeout which may trigger AUTH_ERROR. I haven't seen this in past testing though. I think that the old AUTH_ events have been deprecated by AUTH_RESULT though. So I'm not sure whether it will be possible to depend on AUTH_ERROR even if it might work for you now.

     

     

    As for your other questions, I thought just looking up the session value would reset the timer. But I would definitely expect the timer to be reset if you add the same session key again. Can anyone correct/confirm this?

     

     

    You might consider opening a case with F5 Support to get feedback on these session timeout questions and raise an RFE case asking for better handling of auth timeouts. If you do this, could you reply back with what F5 says?

     

     

    Thanks,

     

    Aaron
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Oct 26, 2009
    Ah! Cheers. I think I have it now. I can't find any docs on actual auth timeouts... That's what threw me... Hopefully I'm not mixing up the session and auth timeouts now...

     

     

    But I still can't stop the AUTH_ERROR event firing after 5 minutes... The profile I'm using does have a timeout of 300 seconds. Which matches the timeout I'm seeing, but how do I reset that? The profile says it's an IDLE timeout. But the session isn't remaining idle...

     

     

    H

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 26, 2009
    Maybe the auth "idle" timeout is how long the auth session is stored for and the timer is only updated when another AUTH:: call is made with that auth ID? That's just a guess though. Maybe someone from F5 can comment. Else, maybe a case would help you get an answer.

     

     

    If you do get more info on this from Support, could you reply here with an update?

     

     

    Thanks,

     

    Aaron