Forum Discussion

C_D_18583's avatar
C_D_18583
Icon for Nimbostratus rankNimbostratus
Apr 22, 2008

Cookie set by application server

How can I write a rule that can pick up the cookie that is set by the application server and have the ability to reset it.

 

 

Essentially the requirement is when a user logins in to the application the first time F5 routes to any node but the applications will set the cookie and that cookie will be persisted by F5.

 

 

However , if that node should go down we would like F5 to clear that cookie and go back to reselect another node and then the application will set another cookie.

 

 

The rules partially works ( clears the local cookie ( myCookie ) when the node is down ) but the APP_SESSION_COOKIE is not reset hence it continues to persisting to a node that is marked down:

 

 

Please advise

 

 

 

when RULE_INIT {

 

 

set ::myPool default_pool

 

 

set ::myPort 80

 

 

set ::myCookie APP_SESSION_COOKIE

 

 

}

 

 

when HTTP_REQUEST {

 

 

set myServer [findclass [substr [HTTP::cookie $::myCookie] 0 2] $::ip_list " "]

 

 

log local0. "The Cookie identifier is: [substr [HTTP::cookie $::myCookie] 0 2]"

 

 

if { $myServer ne "" } {

 

 

if { [LB::status pool $::myPool member $myServer $::myPort] ne "down" } {

 

 

pool $::myPool member $myServer $::myPort

 

 

log local0. "Server picked is: $myServer $::myPort"

 

 

}

 

 

else {

 

 

HTTP::cookie remove "$::myCookie"

 

 

pool $::myPool

 

 

log local0. "Selected server [IP::server_addr] is down, reloadbalancing."

 

 

}

 

 

}

 

 

else {

 

 

pool $::myPool

 

 

log local0. "No valid cookie/server pairing found, load balancing request to any server in $::myPool."

 

 

}

 

 

}

 

 

application delivery
dev
devops
iRules

8 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Apr 22, 2008
    Can you enable logging and then post the log output when the rule doesn't work? If you're able to log the HTTP request and response headers, that would help too.

     

     

    Aaron
  • Nicolas_Menant's avatar
    Nicolas_Menant
    Icon for Employee rankEmployee
    Apr 22, 2008
    I guess the issue here is that you remove the cookie in the request but it is not cleared from the client's browser

     

     

    you'll need to force the cookie to expire in a response
  • Nicolas_Menant's avatar
    Nicolas_Menant
    Icon for Employee rankEmployee
    Apr 22, 2008
    you can use something like that:

    When you see its node is down, you redirect the user to the same page but you insert in the response a cookie which will force the expiration of the cookie

    
    set cookie_expire "$::myCookie=;expires=-1"
     HTTP::respond   302 Location "http://[HTTP::host][HTTP::uri]" "Set-Cookie" $cookie_expire
  • C_D_18583's avatar
    C_D_18583
    Icon for Nimbostratus rankNimbostratus
    Apr 24, 2008
    Thanks for the response , I did try the above statement but it gave me the same error . Here are some logs:

     

     

    When the server connected if up :

     

     

    Apr 24 10:59:51 tmm tmm[730]: Rule client_identity_test : Server picked is: 192.168.156.108 8081

     

    Apr 24 10:59:52 harp bigd: 01060111:3: Open SSL error - error:140770FC:SSL routines:func(119):reason(252).

     

    Apr 24 10:59:53 tmm tmm[730]: Rule client_identity_test : The Cookie identifier is: 02

     

    Apr 24 10:59:53 tmm tmm[730]: Rule client_identity_test : The member status is:up

     

    Apr 24 10:59:53 tmm tmm[730]: Rule client_identity_test : The IF Statement

     

    Apr 24 10:59:53 tmm tmm[730]: Rule client_identity_test : Server picked is: 192.168.156.108 8081

     

    Apr 24 10:59:53 tmm tmm[730]: Rule client_identity_test : The Cookie identifier is: 02

     

    Apr 24 10:59:53 tmm tmm[730]: Rule client_identity_test : The member status is:up

     

    Apr 24 10:59:53 tmm tmm[730]: Rule client_identity_test : The IF Statement

     

     

    When the Server goes down:

     

     

     

    Apr 24 11:02:20 harp bigd: 01060111:3: Open SSL error - error:140770FC:SSL routines:func(119):reason(252).

     

    Apr 24 11:02:21 tmm tmm[730]: Rule client_identity_test : The Cookie identifier is: 02

     

    Apr 24 11:02:21 tmm tmm[730]: Rule client_identity_test : The member status is:down

     

    Apr 24 11:02:21 tmm tmm[730]: Rule client_identity_test : The ELSE Statement

     

    Apr 24 11:02:21 tmm tmm[730]: Rule client_identity_test : The Cookie identifier is:

     

    Apr 24 11:02:21 tmm tmm[730]: 01220001:3: TCL error: Rule client_identity_test - Error: No serverside connection established (line 18) invoked from within "IP::server_addr"

     

    Apr 24 11:02:22 harp bigd: 01060111:3: Open SSL error - error:140770FC:SSL routines:func(119):reason(252).

     

    Apr 24 11:02:25 harp bigd: 01060111:3: Open SSL error - error:140770FC:SSL routines:func(119):reason(252).

     

     

     

     

  • C_D_18583's avatar
    C_D_18583
    Icon for Nimbostratus rankNimbostratus
    Apr 25, 2008
    I tried the following command but I could not get the browser cookie to reset

     

     

    set cookie_expire "$::myCookie=;expires=-1" HTTP::respond 302 Location "http://[HTTP::host][HTTP::uri]" "Set-Cookie" $cookie_expire

     

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Apr 25, 2008
    What do you see in the Set-Cookie header on the client when the 302 response is sent?

    Maybe use 1/1/1970 instead of -1? Here's an example that worked for me previously. I set the cookie value to the string "null", to test. I suppose it shouldn't matter though.

    HTTP::respond 302 Location http://$::host$::default_redirect_path Set-Cookie "${::session_cookie_name}=null\;Expires=Thurs, 01-Jan-1970 00:00:00 GMT"

    Also, the TCL error you have listed above is because you were referencing IP::server_addr when a server side connection hadn't been established. If the log statement using IP::server_addr was in an event where the server side connection should normally be there, you can try to log it without causing the TCL error using catch (Click here).

    
if {[catch {IP::server_addr}] server_ip}{
    There was an error running IP::server_addr, so don't try to log the value
   log local0. "No serverside connection"
} else {
    No error.  There was a serverside connection, so the value is saved in $server_IP
   log local0. "\$server_ip: $server_ip"
}

    Lastly, the bigd SSL routines error being logged is probably from a misconfigured HTTPS monitor, or an HTTPS monitor polling a non-HTTPS server.

    Aaron
  • C_D_18583's avatar
    C_D_18583
    Icon for Nimbostratus rankNimbostratus
    May 07, 2008
    Thanks for all you help. I resolved the problem. Actually the irule was working fine except for the log statement was causing some errors as you mentioned above. I removed the log statement.

     

     

    The main problem was one of our application servers was setting the cookie with a different name. There was a trailing blank in the cookie name.

     

     

     

  • Colin_Walker_12's avatar
    Colin_Walker_12
    Historic F5 Account
    May 07, 2008
    Nice to know the iRule was working. Thanks much for letting us know how this one turned out!

     

     

    Colin