Is there a way to manage sessions?

Question

Hi, 
&nbsp;  
&nbsp; I am by no means an Irule expert and have tried for the last 2 days to get a request done for a client. 
&nbsp;  
&nbsp; The basic requirement is to track client sessions using JSESSIONID and another header in the dataflow (OperatorID). 
&nbsp;  
&nbsp; When a user logs in I can pickup the Jseesion ID and the Operator ID header. The client wants us to drop the first session and only allow the second one to work.  This is to ensure that a hacker dioesnt steal your session etc.  
&nbsp;  
&nbsp; I have tried using the session uie add/lookup commands but have no idea how to successfully drop the first session when a second user logs on. 
&nbsp;  
&nbsp; Would it be better to create a array and store the infor in there? 
&nbsp;  
&nbsp; Any ideas would be greatly appreciated.  
&nbsp;  
&nbsp; Thenks in advance 
&nbsp; Wynand 
&nbsp;  
&nbsp;

the_bhattman · Answer

Hi Wynand, 
&nbsp;    I am a bit confused on your statements.  Are you saying that you want to drop the first session the minute the second session comes in.  Thus only one session at a time? I am assuming one session is one user? 
&nbsp;  
&nbsp;  
&nbsp; CB 
&nbsp;  
&nbsp;  &nbsp;

wynand_van_nisp · Answer

Hi, 
&nbsp;  
&nbsp; That is correct. It is a banking application. The bank's security policy determines that if a session gets compromised it need to drop the first session. This way if someone gets hacked their session will be dropped and they need to re-logon again. 
&nbsp;  
&nbsp; If it was the otherway arround doing it with a session uie lookup will be easy. 
&nbsp;  
&nbsp; Hope you can help. 
&nbsp; Wynand

hooleylist · Answer

Hi Wynand, 
&nbsp;  
&nbsp; How do you want to define and track a session?  How do you identify a session that's been compromised?  
&nbsp;  
&nbsp; Do you want to try to capture the username for logins and track that the session details (probably a cookie?) don't get re-used by another client?  If so, is there a single page or known list of pages that clients submit their credentials to?  Or do you want to make sure the session ID doesn't get presented by a different IP address?  Or something altogether different? 
&nbsp;  
&nbsp; Aaron

wynand_van_nisp · Answer

Hi Hoolio, 
&nbsp;  
&nbsp; Currently the client wants us to track the Opersator ID which sits in the heard together with the JsessionID.   When a second person logs on using the same OperatorId and the Jsession is different to the first user it must drop the first user. 
&nbsp;  
&nbsp; Hope it make sense. 
&nbsp;  
&nbsp; Wynand

Forum Discussion

Is there a way to manage sessions?

4 Replies

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Minimizing Security Complexity: Managing Distributed WAF Policies

Automating ACMEv2 Certificate Management on BIG-IP

Re: Management Certificate

NGINX Management Suite API Connectivity Manager - Modern API driven Applications

iControl REST Authentication Token Management