HTTP Session Limit

Problem this snippet solves:

Limits total concurrent HTTP sessions to a pre-defined threshhold, allowing those clients with a session cookie to continue once the limit is reached, while redirecting new clients until concurrent sessions are again below the theshhold.

Code :

rule HTTP_session_limit {
 when RULE_INIT {
  set ::total_active_clients 0
  set ::max_active_clients 100
  log local0. "rule session_limit initialized: total/max: $::total_active_clients/$::max_active_clients"
 }
 when HTTP_REQUEST {
  ;# test cookie presence
  if {[HTTP::cookie exists "ClientID"]} {
    set need_cookie 0
    set client_id [HTTP::cookie "ClientID"]
    ;# if cookie not present & connection limit not reached, set up client_id
  } else {
    if {$::total_active_clients < $::max_active_clients} {
      set need_cookie 1
      set client_id [format "%08d" [expr { int(100000000 * rand()) }]]

      # Only count this request if it's the first on the TCP connection
      if {[HTTP::request_num] == 1}{
        incr ::total_active_clients
      }
      ;# otherwise redirect
    } else {
      HTTP::redirect "http://sorry.domain.com/"
      return
    }
  }
 }
 when HTTP_RESPONSE {
  ;# insert cookie if needed
  if {$need_cookie == 1} {
    HTTP::cookie insert name "ClientID" value $client_id path "/"
  }
 }
 when CLIENT_CLOSED {
  ;# decrement current connection counter for this client_id
  if {$::total_active_clients > 0} {
    incr ::total_active_clients -1
  }
 }
}
Published Mar 18, 2015
Version 1.0
application delivery
devops
iRules
security
  • brad_11480's avatar
    brad_11480
    Icon for Nimbostratus rankNimbostratus
    Sep 25, 2017

    If the intention is to keep the connections to the pool of servers below a certain threshold, this would work. But I don't see how this would not end up interfering with an active application session if that user happens to return a transaction at a time that it was over the connection limit-- they may get a 'sorry' redirect in mid-session. For most web-based application sessions, it is a series of transactions where each transaction may be in a separate connection.

     

  • kridsana's avatar
    kridsana
    Icon for Cirrocumulus rankCirrocumulus
    May 09, 2018

    Hi @brad

     

    From your comment, Is active session will get interfere ? because active session will have existing session cookie "ClientID" and then they will continue using application normally even though $::max_active_clients is reach .

     

    I want to using this but still not sure if it will working.

     

  • brad_11480's avatar
    brad_11480
    Icon for Nimbostratus rankNimbostratus
    May 09, 2018

    you are correct they have a ClientId cookie and will not drop a user. But this code seems to be more of a connection count limit and not a session count limit. A session spans multiple HTTP_REQUEST / HTTP_RESPONSE&CLIENT_CLOSED. Since it decrements the counter at close it makes it available for others even though this user still has a session active (a cookie active).

     

    There are a couple other articles that I feel accomplish the session limit. I adapted one.. but look at: https://devcentral.f5.com/s/articles/codeshare-refresh-http-session-limit

     

  • kridsana's avatar
    kridsana
    Icon for Cirrocumulus rankCirrocumulus
    May 10, 2018

    I lookup irule in your comment. Why It's look like the same as this irule? (have same client_closed event with delete table = this irule decrement counter)

     

    ps. I'll comment more in those link instead to not confusing.