Forum Discussion

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Apr 08, 2021

APM Session deleted when following link Webtop Link to Application URI

Hi all,

 

I have three virtuals:

 

and each virtual has a separate APM Profile (Type: All, Scope: Global, Domain Cookie: mydomain.com, Login Page + AD Auth).

The webtop has two Webtop Links (Type: Application URI) for web1 and web2

 

When I login to web1, I can switch to web2, no further auth is required. No matter if I open web2 in the same tab or in a different tab. This also works the other way round, authenticating first to web2 and then opening web1.

But when I login to web1 and next I open webtop.mydomain.com, my session is deleted and I have to authenticate again to both (web1 and webtop).

Also when I login to webtop and I click on the links to web1 or web2 the same happens. My access session for webtop is deleted and I have to login to webtop and web1/web2.

I traced it so far, that the browser is sending the correct cookie to https://web1.mydomain.com/. But when it redirects to /my.policy the session is deleted.

 

Is this the expected behaviour when mixing webtop and webtop links scenarios? Or am I hitting a bug? BIG-IP Version is 15.1.2.1

 

Thanks in advance & KR

Daniel

 

 

APM
Application URI
domain cookie
security
webtop

8 Replies

Sort By
  • Nikoolayy1's avatar
    Nikoolayy1
    Icon for MVP rankMVP
    Apr 08, 2021

    From what I see you are matching the issue in and this was version 12.1.2, so it seems an expected thing:

     

    https://devcentral.f5.com/s/question/0D51T00006i7hk3/domain-cookie-sso

     

     

     

    Can you also check if you have set the cookie with a persistant flag as this will not work for the webtop "Persistent: Session cookie persistence functions only on BIG-IP LTM and APM deployments. For BIG-IP APM deployments with connectivity resources (such as Network Access, Portal Access, etc.), you cannot set BIG-IP APM cookies as Persistent. This is by design, as session cookie persistence can present a security risk. For some deployments of the BIG-IP APM system, as with Microsoft SharePoint, cookie persistence may be required. When you select cookie persistence, persistence is hard coded at 60 seconds."

     

    https://support.f5.com/csp/article/K15387

     

     

     

    Also you use domain cookie because you want an SSO, so when the user logs into the APM to also be authenticated to the backend applications without again entering credentials?

     

    Did you test without SSO and domain cookie just with Global profile scope if the session is deleted when accessing the webtop after first going to the application as maybe the SSO is the reason and maybe the webtop SSO does not work corectly?

    • Daniel_Wolf's avatar
      Daniel_Wolf
      Icon for MVP rankMVP
      Apr 08, 2021

      Yes, the devcentral links sort of is matching my issue. I just wonder whether it is by design or else... I mean the devcentral question is rather old, it's related to BIG-IP 12.

       

      I dont have the Persistent flag set on my cookies.

      • Daniel_Wolf's avatar
        Daniel_Wolf
        Icon for MVP rankMVP
        Apr 09, 2021

        There is nothing hidden  . 🙂

        When I did not mention it in my question text, it is most likely not there.

        I am not using Network Access. Also web1 and web2 are static websites, neither is SSO configured nor it is required.