For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

HTTP Session Limit

Problem this snippet solves:

Limits total concurrent HTTP sessions to a pre-defined threshhold, allowing those clients with a session cookie to continue once the limit is reached, while redirecting new clients until concurrent sessions are again below the theshhold.

Code :

rule HTTP_session_limit {
 when RULE_INIT {
  set ::total_active_clients 0
  set ::max_active_clients 100
  log local0. "rule session_limit initialized: total/max: $::total_active_clients/$::max_active_clients"
 }
 when HTTP_REQUEST {
  ;# test cookie presence
  if {[HTTP::cookie exists "ClientID"]} {
    set need_cookie 0
    set client_id [HTTP::cookie "ClientID"]
    ;# if cookie not present & connection limit not reached, set up client_id
  } else {
    if {$::total_active_clients < $::max_active_clients} {
      set need_cookie 1
      set client_id [format "%08d" [expr { int(100000000 * rand()) }]]

      # Only count this request if it's the first on the TCP connection
      if {[HTTP::request_num] == 1}{
        incr ::total_active_clients
      }
      ;# otherwise redirect
    } else {
      HTTP::redirect "http://sorry.domain.com/"
      return
    }
  }
 }
 when HTTP_RESPONSE {
  ;# insert cookie if needed
  if {$need_cookie == 1} {
    HTTP::cookie insert name "ClientID" value $client_id path "/"
  }
 }
 when CLIENT_CLOSED {
  ;# decrement current connection counter for this client_id
  if {$::total_active_clients > 0} {
    incr ::total_active_clients -1
  }
 }
}
Published Mar 18, 2015
Version 1.0
application delivery
devops
iRules
security

5 Comments

  • brad_11480's avatar
    brad_11480
    Icon for Nimbostratus rankNimbostratus
    Sep 25, 2017

    If the intention is to keep the connections to the pool of servers below a certain threshold, this would work. But I don't see how this would not end up interfering with an active application session if that user happens to return a transaction at a time that it was over the connection limit-- they may get a 'sorry' redirect in mid-session. For most web-based application sessions, it is a series of transactions where each transaction may be in a separate connection.

     

  • kridsana's avatar
    kridsana
    Icon for Cirrocumulus rankCirrocumulus
    May 09, 2018

    Hi @brad

     

    From your comment, Is active session will get interfere ? because active session will have existing session cookie "ClientID" and then they will continue using application normally even though $::max_active_clients is reach .

     

    I want to using this but still not sure if it will working.

     

  • brad_11480's avatar
    brad_11480
    Icon for Nimbostratus rankNimbostratus
    May 09, 2018

    you are correct they have a ClientId cookie and will not drop a user. But this code seems to be more of a connection count limit and not a session count limit. A session spans multiple HTTP_REQUEST / HTTP_RESPONSE&CLIENT_CLOSED. Since it decrements the counter at close it makes it available for others even though this user still has a session active (a cookie active).

     

    There are a couple other articles that I feel accomplish the session limit. I adapted one.. but look at: https://devcentral.f5.com/s/articles/codeshare-refresh-http-session-limit

     

  • kridsana's avatar
    kridsana
    Icon for Cirrocumulus rankCirrocumulus
    May 10, 2018

    I lookup irule in your comment. Why It's look like the same as this irule? (have same client_closed event with delete table = this irule decrement counter)

     

    ps. I'll comment more in those link instead to not confusing.