CodeShare Refresh: HTTP Session Limit

kridsana,

Yes, the syntax dictates that you need the extra bracket at the end.

I know this is an old case but we are struggling with the same issue. We are running V12 which I understand should be able to run V11 irules fine. There was one change made to the rule we have and that is the following:

17: if {[HTTP::request_num] == 1}{ 18: table set -subtable httplimit [IP::client_addr]:[TCP::client_port] "blocked" 19: set timer [after 60000 -periodic { table lookup -subtable httplmit [IP::client_addr]:[TCP::client_port] } 20: }

TO: 17: if {not ([table keys -subtable httplimit -count] > $static::max_active_clients)} { 18: table set -subtable httplimit [IP::client_addr]:[TCP::client_port] "blocked" 540 19: set timer [after 60000 -periodic {table lookup -subtable httplimit [IP::client_addr]:[TCP::client_port] } ] 20: }

I didn't put this rule in place so I am not sure what the reason was for setting it this way, but I assume it was to address what you were saying, hoolio. That said, our code doesn't appear to be working as expected. I think this may have something to do with it, and the second reason I think it may be balking is because of a concurrency issue. My understanding is that this rule gets run per HTTP session as they are made to the F5. But what happens if say 2000 clients attempt to make a connection at the same time? Wouldn't each of those essentially query the database and see it in the same state, and thus each think they need to be added to the allowed pool?

Also, can someone explain what the line "table set -subtable httplimit [IP::client_addr]:[TCP::client_port] "blocked" 540" is doing? I was under the impression that we were adding IPs to the approved list, but this seems like it is adding those who are blocked, which seems backwards to me.

Shouldn't the code in line 5 be using the '-count' option to get the current table size? As it reads it is returning the value of the first entry in the table...

12: if {not ([table keys -subtable httplimit -count] > $static::max_active_clients)} {

Also, I'm a bit confused on the logic using the 'after 60000' to retouch the table entry. If the entry times out in 180 seconds, it will disappear by itself and thinking logic to have the client retouch it with each HTTP_REQUEST will refresh it. This seems to be connection based as the CLIENT_CLOSE drops the entry from the table even though the user still has a web session (and cookie).

I may be trying to use this incorrectly. I have a web service where I need to restrict the number of overall concurrent users. The application uses JSESSIONID so thinking I could use that existing cookie. I can then add a table entry for the user if I don't have them and retouch it for every transaction to keep it active. Once they go away it will timeout and the entry will drop, opening a session slot for someone else.

will it work for multiple domains?

I'm not sure if it depend on HTTP session limit. this irule delete table when they have some connection close in their session but it not mean that client exiting application, Am I correct?

So Is it may cause application allow for more active user than we expect?

(ie. expect max session 1) - when client 1 just use application. they finish get index.html and that connection is closed = entry is remove. so then client 2 use application too because entry in table not less than 1. Result in two session using application which more than we expect.

Can we remove Event CLIENT_CLOSED from this iRule and then let's wait for entry in table timeout (180 second by default)? This way it's may not allow more active session than we expect. (the issue is new session can't enter even old session finish using application. They have to wait till entry timeout)

This is the code I finally put in place to limit sessions (not connections). It uses an application set cookie. Many times applications will have this JSESSIONID is common. Otherwise a cookie can be inserted if the application doesn't set one. The first call will not have a cookie-- indicating a new user with a new session. Once that cookie exists it will honor the session even if the limit has been reached.

 devcentral codeshare seems to be based on a connection not a session as it maintains the source port and IP
 as web sessions may initiate multiple sessions from the same IP but different ports.
 In this case the application maintains a session cookie which is specified in static sessioncookie variable.
 (could always add a HTTP_RESPONSE section to create/insert a cookie if the application doesn't maintain one).
 If the cookie doesn't exist this must be a new user who hasn't established a server session yet. In that case
 check the current session table size and if we are under the limit, let them in.  The server will generate the session cookie.
 Subsequent calls will be permitted regardless of the size of the active session table- don't want to drop a user who is in session.
 Active session table entries are aged for responsewait seconds.  If the user is slow the entry will drop out and could
 permit another user to begin a session even though this user returns and recreates their sessioncookie entry. 
 In that case it will go 'overlimit'.  This might need tweaking depending on the application use.


when RULE_INIT {
  set static::max_active_clients 2000
  set static::responsewait 300
  set static::sessioncookie "ANONYMOUS_COOKIE"
}

when HTTP_REQUEST {
   this gets the pool name assuming it is in the /Common/ path so it strips the leading /Common/  (or on/ trail)
  set hstable "limit-[findstr [LB::server pool] "on/" 3]"
  if {[HTTP::cookie exists $static::sessioncookie]} {
    if {[HTTP::request_num] == 1}{
 giving them responsewait seconds for their next transaction otherwise they will be removed from the table.
 but the logic will add them back in again on their next transaction as they have a sessioncookie.
 note that the lookup will reset the expiration timer.
      if { [table incr -subtable $hstable -mustexist [HTTP::cookie value $static::sessioncookie]] == "" } {
        log local1. "Entry for expired [HTTP::cookie value $static::sessioncookie] [IP::client_addr]:[TCP::client_port] recreated."
        table set -subtable $hstable [HTTP::cookie value $static::sessioncookie] 0 $static::responsewait
      }
    }
  } else {
     if cookie not present & connection limit reached, sorry
    if {[table keys -subtable $hstable -count] >= $max_active_clients} {
      log local0. "SESSION LIMIT REACHED. CLIENT IP [IP::client_addr] WAS GIVEN SORRY RESPONSE.  Session count/limit: [table keys -subtable httplimit -count]/$max_active_clients"
      HTTP::redirect "http://sorry.domain.com/"
      HTTP::respond 200 content "[ifile get ifile_iCarsLimit]" "Cache-Control" "no-cache" "Pragma" "no-cache" "Connection" "Close"
      HTTP::respond 200 content "SorrySorry, we are currently busy serving other customers and cannot serve you at this moment, but please try again in a couple minutes!" "Cache-Control" "no-cache" "Pragma" "no-cache" "Connection" "Close"
      event disable
    }
  }
}

 simple code would be to simply allow the cookie to be set in the request above.
 the below will see if the session cookie is being created and if so will set the table entry for it along with the timeout.
 then the code above does a lookup which resets the timeout.  It will issue an error if the lookup fails, which means that 
 the entry aged out and a subsequent request from that client came in.  Log and recreate - a way to see how much this happens.

when HTTP_RESPONSE { 
  if {[HTTP::header exists "Set-Cookie"]} { 
    foreach cookievalue [HTTP::header values "Set-Cookie"] { 
      if {$cookievalue starts_with $static::sessioncookie} { 
 some applications add the cookie with each transaction - increment if there otherwise create
        if { [table incr -subtable $hstable -mustexist [HTTP::cookie value $static::sessioncookie]] == "" } { 
          table set -subtable $hstable [findstr $cookievalue "=" 1 ";"] 0 $static::responsewait
          log local1. "Entry for session $cookievalue IP: [IP::client_addr]:[TCP::client_port] created."
        }
      }
    } 
  }
}




code to dump the table
  if {[URI::decode [HTTP::uri]] starts_with "/F5/report"} {
    if {[URI::decode [HTTP::uri]] starts_with "/F5/reportall"} {
      set rpt ""
      foreach key [table keys -notouch -subtable $hstable] {
        set remain [table timeout -subtable $hstable -remaining $key]
        set value [table lookup -subtable $hstable -notouch $key]
        append rpt "\n"
      }
      append rpt "$static::sessioncookieTxnsTimeout$key$value$remainTimeout is $static::responsewait seconds (use /F5/reportall-reset to reset.)"
      set rfc1123date [clock format [clock seconds] -format "%a, %d %h %Y %T GMT" -gmt true]
      HTTP::respond 200 content "Session Limit TableSession Limit Table - $hstable$rpt" "Cache-Control" "no-cache" "Pragma" "no-cache" Date $rfc1123date Expires $rfc1123date "Connection" "Close"
      if {[URI::decode [HTTP::uri]] starts_with "/F5/reportall-reset"} {
        table delete -all -subtable $hstable
      }
      event disable
    } else {
     set sessct [table keys -subtable $hstable -count]
     HTTP::respond 200 content "ReportCurrent Session Count/Limit is $sessct/$max_active_clients." "Cache-Control" "no-cache" "Pragma" "no-cache" "Connection" "Close"
     event disable
    }
  }
  
  

I don't want to confuse things by introducing something else, but on the other hand, happy to share what I ended up implementing.