session management

3 Topics

Removal Cookies on Client Browser
Hello I'm trying to erase a bunc of cookies which belongs to expired session. Cookies are sending by the servers (CyberArk) and they are session cookies. Here in this scenario the F5 is used as Auth provider with an APM policy along with the load balancing. The APM policy is in LTM+APM mode so there is no webtop, connectivity profile and advanced resource assaing agent. This is not a new deployment but after the upgrade of Cyberark software in pool members, this design started to act a bit weird. When predefined idle timeout expires on CyberArk, the consequent requests get an error message on client and client sees an empty white page. After claening every thing (Ctrl+Shift+Del or using incognito mode) on the browser the problem vanishes. According to Cyberark support, the client sends a token that is not valid anymore. We identified some cookies that look like carrying these tokens and we wrote an irule to tell the client for clean all those subjected cookies when an APM session started. Seems like the iRule sends all needed cleaning declarations to the client browser and we saw all those cookies removed from cookie store of browser. But somehow some of them (CA11111, CA22222 and CA66666) is still carrying old token informations. According to my google-fu, there is no special removing methods besides mine. Also, found no information about that whether need to specify all those attributes used at the set-cookie moment as well while removing them. I mean those "domain=", "path=", "secure" and other attributes sent by server along with cookie at the beginning. The cookies sent by server: Set-Cookie: CA33333=; path=/PasswordVault/; SameSite=Strict; secure; HttpOnly Set-Cookie: __AntiXsrfToken=; expires=Tue, 11-May-1993 08:57:48 GMT; path=/; secure; HttpOnly Set-Cookie: CA44444=64D55E4839F5ED0032A7D0A7863EB07336F49030; path=/PasswordVault/; SameSite=Strict; secure; HttpOnly Set-Cookie: CA11111=00000002531296421D1226B831C822BA3BEE6FD4245F97F9A49C4C416052B0EC975B1B0C00000000; path=/PasswordVault/; SameSite=Strict; secure; HttpOnly Set-Cookie: CA22222=A1AC061D681C256A9DDF259B64D55E4839F5ED0032A7D0A7863EB07336F49030; path=/PasswordVault/; SameSite=Strict; secure; HttpOnly Set-Cookie: CA55555=cyberark; path=/PasswordVault/; SameSite=Strict; secure Set-Cookie: CA66666=jjxH6-chSXEEGbEjXXl7gyZv8xtT1XfiWqaUz7FPTVqntHw0AfdtPowY5YM0TJv5RHhFJPgoN1Oly2AJzxicXX5RroibSQeh1b4Ua_PTbA3L4fjEVTin3TXQ0bK9PU-VO6koC5iPZ0tOehb8AijWe0zJKaPJ_2hbqIBjgxVsitpxv3VBgXxEFqYQ9If8sE4o2wYS00mu0gVjRZKS9KSVLrbZPDVve0PgNT2alYsAv8Ic1O3mfqkgEYuAuJMndKMxGmE-7ehbwZX373XionLWaq3Viz67yk6UUH8qYCKhf2gpSnkh5PO-u9_e2M5O8uYYEVpTcA4O50Q0IAeU_V4zsg2; path=/PasswordVault/; SameSite=None; secure Set-Cookie: 6a5a355a-0547-40ce-9770-fc22d1f3bbea=8096DBD1E9E9ECF050757DDD2538169332D568558048455B5EC4A9CCB22A74F285F74A13FFF1DAC916C7558EBB15FD0F5EE388C0200435FA4822BD64B5833B0F824A23313EDBDDF519B5170AC7F177FF8D85DF020BEDDD01767EE977A710D5DB3DD6FE3D8A7C0D26442CE3EA472FD456FE69930D39769576D155C488AB79BB08818D36C8253800517365B75AF827BBF6; path=/PasswordVault/; secure; HttpOnly; SameSite=Lax My iRule: when CLIENT_ACCEPTED { set status 0 ACCESS::restrict_irule_events disable } when ACCESS_SESSION_STARTED { set status 1 } when HTTP_RESPONSE_RELEASE { if { $status == 1 } { HTTP::header insert "Set-Cookie" "CA11111=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" HTTP::header insert "Set-Cookie" "CA22222=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" HTTP::header insert "Set-Cookie" "CA33333=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" HTTP::header insert "Set-Cookie" "CA44444=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" HTTP::header insert "Set-Cookie" "CA55555=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" HTTP::header insert "Set-Cookie" "CA66666=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" HTTP::header insert "Set-Cookie" "6a5a355a-0547-40ce-9770-fc22d1f3bbea=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" HTTP::header insert "Set-Cookie" "pam_persist=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" } My questions are: Is there any specific requirement to delete a cookie or can i use above iRule to erase all of them? Should i specify all those attributes along with the cookies while deleting? Some of the above cookies send from server when a specific request made by client. While deleting them is there any specific rule/policy to follow? Like deleting the cookie at the request sent by client. I tried to use "HTTP::cookie remove" method but somehow i did not see any delete (Set-Cookie header) message coming from F5 for cookies. How "HTTP::cookie remove" method actually deletes a cookie? This is for the APM specialists. In a LTM+APM policy, is there any way to determine the moment of the session expiration happend and initiate a HTTP response for cookie clean message to the client? Thanks advance.
Solved
Torijori_Yamamada
May 17, 2023 Place Technical Forum
1.9KViews
0likes
4Comments
Blocking Session Management attacks on ASM
hello, We recently came to know the F5 ASM is not blocking session management attacks which discloses the admin username and password on reply. May I know if this has something to do with attack signatures or through dynamic parameters. Regards, Akhtar
Akhtar_109015
Feb 04, 2015 Place Technical Forum
485Views
0likes
8Comments
Persistence of session per cookie
Hi all, I am a beginner about the BigIp load-balancer and I have a question about the behavior of this one in a particular case of use. I have a BigIp configured to share traffic between two active servers (S1 and S2 for example) but the BigIp is also configured with the persistence of session per cookie insertion. What's happen when the BigIp receives a request with a cookie for the IP address of S1 server (for example) if the S1 server is KO? Will the request forward to the S2 server even the cookie containts the IP address of S1 server? Thanks a lot for you answer. Have a nice day. Michel
mbadet_119292
Nov 13, 2013 Place Technical Forum
296Views
0likes
3Comments