Forum Discussion
Aaron_33366
Nimbostratus
NimbostratusWildcard cookie
Hello. I have migrated my config from a Cisco CSS to an F5 LTM and have run into a problem. One the CSS I was able to have a cookie that was use for all parts of the domain. I was able to set the option called "cookie-domain" on the Cisco CSS and that could would work for all subdomains. Below is a link to that info on Cisco's site.
http://www.cisco.com/en/US/docs/app...wp1178181
I have been looking for this option on the F5 but have not been able to find it. I have look under the persistence profile and creating a new one however I dont see that option for a cookie-domain or anything like a wild card cookie. I am assuming that I might have to do this in an iRule or that the option I need to set is not in the persistence profile are of the GUI and that I might have to make this modification via the CLI with the bigpip command. I currently have a F5 ticket open for this but havent gotten far with it so I thought I would post this question out in the wild and see what I could find.
The key is that if a user goes to site1.domain.com or site2.domain.com or site3.domain.com I need that user to stay stuck/persisted to the same server they were load balanced to. These sites all need to have their own virtual servers because they have SSL so they all need their own IP address.
Below is a link that I found that that shows how to do this in PHP and a snippet from the page. However I need to do this on the F5 and I need to be able to set the value of the cookie to the pool member the user was load balanced to.
http://www.webdeveloper.com/forum/showthread.php?t=198526
PHP Code:
setcookie('name', $value, time()+$duration, '/', '.example.com')
Note the leading dot at the start of the ".example.com".
Thanks in advanced for any help that you can provide on this.
-Aaron
hooleylistCirrostratus
Hi Aaron,
You can set the domain on an LTM or app cookie using HTTP::cookie
http://devcentral.f5.com/wiki/default.aspx/iRules/http__cookie
HTTP::cookie domain < cookie name > [domain]
Aaron
Aaron_33366Thanks for that piece of info. Now do you know of a way I can get the pool member variable into the cookie as well? I need to ensure that the cookie will keep the client persisted to the same pool member.- The_BhattmanHi Aaron,
You can create a Cookie Persistence profile
http://support.f5.com/kb/en-us/solutions/public/7000/100/sol7168.html?sr=13296350
The following is the structure of Cookie Persistence
http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html?sr=13296350
I hope this helps
Bhattman - Aaron_33366Thanks for the reply. I already know how to create the profile for a persistence cookie which I have done. But what I need to be able to do is make that cookie have a domain set in it so that it is for all of my *.domain.com. This way when someone hits virtual server for site1.domain.com they will get a cookie for *.domain.com. Then if that user was to go to site2.domain.com which is a different virtual server that user will still persist to the same server it was load balanced to by looking at the cookie and understand that the cookie is valid for site2.domain.com. Hoolio/Aaron has show the iRule to create the domain part of the cookie, however what I dont understand is how can I set the cookie to have value for the server that was chosen for load balancing.
Below are the values for the 2 servers in the cookie value.
268871872.48129.0000 = 192.168.6.16
285649088.48129.0000 = 192.168.6.17
So my question is if the F5 decides to send to 192.168.6.16, however can I get the iRule to insert the above value for that cookie? How can it find out where the F5 will send the request to.
Thanks again,
Aaron - hooleylistYou can set the domain on the persistence cookie that LTM sets from the cookie insert persistence profile. You don't need to set or modify the cookie value.
when HTTP_RESPONSE { log local0. "[IP::client_addr]:[TCP::client_port]: Pre Set-Cookies: [HTTP::header values Set-Cookie]" Check if the persistence cookie exists in the response if {[HTTP::cookie exists "My_cookie"]} { set the domain attribute on the persistence cookie HTTP::cookie domain "My_cookie" ".mydomain.com" log local0. "[IP::client_addr]:[TCP::client_port]: Modified domain on My_cookie" } log local0. "[IP::client_addr]:[TCP::client_port]: Post Set-Cookies: [HTTP::header values Set-Cookie]" }
If you want to use the same iRule on multiple virtual servers with different pools and corresponding persistence default cookie names, you could add logic to the iRule to look for a cookie name based on BIGipServer[LB::server name].
Aaron - Chris_Miller
Altostratus
Seems like RFE time for a domain field within the cookie profile - Anyone disagree? - Aaron_33366Hoolio thanks for the feed back. I think your iRule might do the trick. However your statement about being able to set the cookie domain in the persistence profile is not correct. You can't set the domain there, you can only set the name of the cookie. I'm thinking that you post meant to say "can't" and you just typed "can".
Chris - I think you mean for a RFC (request for change) not RFE? However yes I agree! This should be a simply custom check box in the GUI so that the domain of the cookie can be set!
Thanks all,
Aaron
Hoolio - when I get a chance to test this out I will report back. If there is anything else you can think about that you want to let me know about please do so! - hooleylistIf you request it, it would be great if the domain could be set based on the domain of the requested host header value. It might also be useful if the field accepted TCL commands and/or so you could set the domain on custom logic.
Aaron - hooleylistPosted By Aaron on 03/15/2011 01:52 PM
However your statement about being able to set the cookie domain in the persistence profile is not correct. You can't set the domain there, you can only set the name of the cookie. I'm thinking that you post meant to say "can't" and you just typed "can".
Sorry, what I wrote wasn't very clear. I was trying to say that you can use the cookie persistence profile to insert the persistence cookie and use an iRule to set the domain on the cookie LTM inserts.
Chris' suggestion for a request for enhancement makes sense. If either of you open a case with Support on this, could you reply back here with the request number so others can reference it?
Thanks, Aaron - Aaron_33366I have emailed the F5 tech support working on my ticket the link to this thread. To get this feature added in future releases do you know how one would go about that? Do you think it would simply be opening a ticket or is there a special process to go through to request this sort of thing?
Thanks,
Aaron
