Forum Discussion

felix001_29321's avatar
felix001_29321
Icon for Nimbostratus rankNimbostratus
May 30, 2012

Creating a HTTP session ID

Im looking for a way to create/insert a session id for each HTTP request that goes through the LB.

The insertion of the header will be straight forward but its the creation of the session ID im still trying to work out.

 

Is there any state information that I can use to build or create a session ID from ?

 

 

 

Thanks,

 

6 Replies

  • Richard__Harlan's avatar
    Richard__Harlan
    Historic F5 Account
    There is no direct way to get a session information from the LTM that I know of. But you can create your own session information from what the LTM has. But the question is what is the back end app? Can you create the session information based on what the APP passes.

     

     

    If not you can create session information on the information in the packet and then add it to the session table and add it to the cookie insert. Though by default the cookie insert is done on the client side. If you need to pass the information back to the server to create state you will have to insert the cookie on the server side. Now I am guessing that is what you are trying to do is create state on the servers them self. If that is the case you can create a session key based on the client info, IP:port. Though with this information a you can get more then one session per browser session. You could also hash out the client User-agent and IP, this should force each browser session to have the same session information though it could lead to more then one client to have the same session ID.

     

     

    I guess long story short we need a little more info to give good information, what will you be using the Session info for? Is this just for pirest info on the LTM if so you can just use cookie insert. From there I think I can give you a better idea then the random idea above. Though I hope this rambling post helps a little :)
  • Hi,

    Thanks for your response. In the end I created an irule that meets the job. Im just now looking into how this will effect performance.

    when HTTP_REQUEST {
        set id "[IP::client_addr][TCP::client_port][IP::local_addr][TCP::local_port][expr { int(100000000 * rand()) }]" 
        binary scan [md5 $id] H* md5var junk 
        HTTP::header insert X-ID $md5var
    }
    

    What are you thoughts on this from a performance perspective ?

    Thanks again,
  • Hi,

    Thanks for your response. In the end I created an irule that meets the job. Im just now looking into how this will effect performance.

    when HTTP_REQUEST {
        set id "[IP::client_addr][TCP::client_port][IP::local_addr][TCP::local_port][expr { int(100000000 * rand()) }]" 
        binary scan [md5 $id] H* md5var junk 
        HTTP::header insert X-ID $md5var
    }
    

    What are you thoughts on this from a performance perspective ?

    Thanks again,
  • Here are two options. The rand option should be more efficient but not cryptographically secure. You can compare the CPU usage using the timing command.

     

     

    Use rand() to generate a psuedo-random 8 digit number (not cryptographically secure)

     

    format %010s [expr { int(100000000 * rand()) }]

     

     

    Use AES::key to generate a cryptographically secure unique ID

     

    set uid [string range [AES::key 256] 8 end]

     

     

    Use timing to do a performance comparison:

     

    https://devcentral.f5.com/wiki/iRules.timing.ashx

     

     

    Aaron

     

  • Richard__Harlan's avatar
    Richard__Harlan
    Historic F5 Account
    You will want to put a if statement in the code that if the cookie is there do not gen a new one. This will keep the LTM for doing the session gen on each HTTP request and keep the session key the same for the transaction. The other thing to note the Cookie is a session based key by default you can add a timeout if you want.