Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

APM Session deleted when following link Webtop Link to Application URI

Hi all,

 

I have three virtuals:

 

and each virtual has a separate APM Profile (Type: All, Scope: Global, Domain Cookie: mydomain.com, Login Page + AD Auth).

The webtop has two Webtop Links (Type: Application URI) for web1 and web2

 

When I login to web1, I can switch to web2, no further auth is required. No matter if I open web2 in the same tab or in a different tab. This also works the other way round, authenticating first to web2 and then opening web1.

But when I login to web1 and next I open webtop.mydomain.com, my session is deleted and I have to authenticate again to both (web1 and webtop).

Also when I login to webtop and I click on the links to web1 or web2 the same happens. My access session for webtop is deleted and I have to login to webtop and web1/web2.

I traced it so far, that the browser is sending the correct cookie to https://web1.mydomain.com/. But when it redirects to /my.policy the session is deleted.

 

Is this the expected behaviour when mixing webtop and webtop links scenarios? Or am I hitting a bug? BIG-IP Version is 15.1.2.1

 

Thanks in advance & KR

Daniel

 

 

8 REPLIES 8

From what I see you are matching the issue in and this was version 12.1.2, so it seems an expected thing:

 

https://devcentral.f5.com/s/question/0D51T00006i7hk3/domain-cookie-sso

 

 

 

Can you also check if you have set the cookie with a persistant flag as this will not work for the webtop "Persistent: Session cookie persistence functions only on BIG-IP LTM and APM deployments. For BIG-IP APM deployments with connectivity resources (such as Network Access, Portal Access, etc.), you cannot set BIG-IP APM cookies as Persistent. This is by design, as session cookie persistence can present a security risk. For some deployments of the BIG-IP APM system, as with Microsoft SharePoint, cookie persistence may be required. When you select cookie persistence, persistence is hard coded at 60 seconds."

 

https://support.f5.com/csp/article/K15387

 

 

 

Also you use domain cookie because you want an SSO, so when the user logs into the APM to also be authenticated to the backend applications without again entering credentials?

 

Did you test without SSO and domain cookie just with Global profile scope if the session is deleted when accessing the webtop after first going to the application as maybe the SSO is the reason and maybe the webtop SSO does not work corectly?

Yes, the devcentral links sort of is matching my issue. I just wonder whether it is by design or else... I mean the devcentral question is rather old, it's related to BIG-IP 12.

 

I dont have the Persistent flag set on my cookies.

It seems a some sort of limitation on the F5 but they have not made a good article for this.

 

 

Have you tested if the session is deleted when not using SSO and domain cookie just a global profile?

 

 

Can you see if without the domain cookie on the access profile for the webtop if the issue is still there? My idea is that the webtop does URL redirect and maybe this breaks the SSO and maybe if the SSO fails it also impacts the session (it shouldn't but even F5 has bugs).

 

 

Also in /var/log/apm what is the reason for the first session to the web1 or web2 to be deleted?

Also you are not using Edge client Network access when connecting to the APM web1 or web2 or webtop as this may cause issues?:

 

 

https://support.f5.com/csp/article/K11710060

 

 

This is an interesting case and I wonder if multy domain will have the same issue as in many previous cases that I checked people try that as when this does not work.

There is nothing hidden  . 🙂

When I did not mention it in my question text, it is most likely not there.

I am not using Network Access. Also web1 and web2 are static websites, neither is SSO configured nor it is required.

Update: I will try with Multi Domain Cookie and I will try to validate my setup against this:

Manual Chapter : Single Sign-On and Multi-Domain Support

 

In case all that will not bring any success, I will most likely open a support case.

Today I stumbled upon the exact same problem. Have you found a solution?

Update: I tried multi-domain mode and it works out of the box.