Forum Discussion

AlgebraicMirror's avatar
AlgebraicMirror
Icon for Altostratus rankAltostratus
Apr 28, 2015

Is there any way, in an iRule, to see if an APM session exists using the regular SID format?

Hi. Does anyone know any way to look up an APM session based on session ID? When I say session ID, I am talking about the session ID format found throughout the product's GUI, report pages, etc (and also the LastMRH_Session cookie). Here is an example of the SID format I mean: 0b75aaa4.

 

When I look in the iRule wiki, I see this code example given for seeing if a session exists:

 

when HTTP_REQUEST {
    set apm_cookie [HTTP::cookie value MRHSession]
    if { $apm_cookie != "" && ! [ACCESS::session exists $apm_cookie] } {
        HTTP::respond 401 WWW-Authenticate "Basic realm=\"www.example.com\""       
        return
    }
}

But the MRHSession cookie doesn't hold just the SID. It holds a value that looks something like this, where only the last few numbers represent the actual session ID: MRHSession=43158eb2be350a409739137c0b75aaa4.

 

I've tried putting a regular SID into the "ACCESS::session exists" command, but it always returns false. It only seems to work when using the longer MRHSession command format. Is there any command that exists that takes the regular format, or any way to make this command use the regular format?

 

APM
application delivery
devops
iRules
security

10 Replies

Sort By
  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Apr 29, 2015

    Making a guess here, I would say most likely not. The APM uses a session ID that is very long to make it very hard to guess. If you were able to locate the same session by only using 8 characters, it would mean that the rest are insignificant and an attacker can hijack the session much easier.

     

    HTH.

     

    • brad_11480's avatar
      brad_11480
      Icon for Nimbostratus rankNimbostratus
      Jun 06, 2017

      well, I just realized that the first 24 characters can be anything-- it only looks and uses the last 8 even though it requires it to be 24.. I just put 'x' and 'z' for the first 24 and it is just fine.

       

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    Apr 29, 2015

    Will this help?

    when HTTP_REQUEST {
   if { ! [ ACCESS::session exists -state_allow -sid [HTTP::cookie MRHSession] ] } {
      .....
   }    
}
  • Algebraic_Mirror's avatar
    Algebraic_Mirror
    Icon for Cirrostratus rankCirrostratus
    Apr 30, 2015

    @Kunjan: Thanks, but no, that won't help, because in my scenario the MRHSession cookie is deleted. I only have the "LastMRH_Session" cookie, which has the shorter 8 character number.

     

    @John: I believe the 8 characters are unique though, because again, they use them literally everywhere inside the product, such as in all the reports, in the "Manage Sessions" screen, etc. Those eight characters are even on every single web request as the "LastMRH_Session" cookie. Yes, the F5 seems to salt it when putting it in the MHRSession cookie to prevent an attacker from forging a request, but it only does that for HTTP requests. Internally in the system it seems to be the unsalted eight characters everywhere, and I'd just like to find a way to look it up using that widespread format.

     

    Any other ideas?

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    May 01, 2015

    ..in my scenario the MRHSession cookie is deleted. I only have the "LastMRH_Session" cookie, which has the shorter 8 character number.

     

    Just curious what scenario are you having? If it's deleted wouldn't this considered as an invalid session?

     

    • AlgebraicMirror's avatar
      AlgebraicMirror
      Icon for Altostratus rankAltostratus
      May 05, 2015
      Yes, it would be considered an invalid session. Which causes the APM to start up a new session. But I don't want a new session; I just want the traffic dropped. Here's the specific scenario: there's a race condition in the latest Exchange CAS iApp for Exchange/OWA 2013. What happens is that oftentimes after you signout, and the APM removes your session, other browser threads will still be in the process of firing off a last HTTP request for content from OWA (the browser doesn't stop them instantly; they are not stopped until after your redirect to the hangup page is complete). In some cases, they don't submit the MRHSession cookie because the hangup page erases it, but they are still in flight in the browser thread and still get fired off at the last second. When they hit the APM, the APM sees that session no longer exists, so it starts a new one. It also records the URL they requested (often a javascript file or some other such) in a session variable so that it can redirect to that after the user finishes logging in. This is all background stuff the user doesn't see. But then, if the user hits the "start new session" link on the hangup page, they will get an error saying a session is already in progress, and they will get sent to the APM login page to complete authentication. After they complete authentication, they will get redirected to a javascript resource rather than the OWA homepage, because that earlier late breaking request for a resource created a new session and set the redirect variable to that resource. This breaks the OWA app for that user. So I need to be able to look things up by the 8 digit ID in an iRule so that I can discard the traffic before it creates a new session, because in some cases that 8 digit ID is literally the only thing I have that could distinguish valid traffic from invalid traffic.
  • kunjan_118660's avatar
    kunjan_118660
    Icon for Cumulonimbus rankCumulonimbus
    May 01, 2015

    ..in my scenario the MRHSession cookie is deleted. I only have the "LastMRH_Session" cookie, which has the shorter 8 character number.

     

    Just curious what scenario are you having? If it's deleted wouldn't this considered as an invalid session?

     

    • AlgebraicMirror's avatar
      AlgebraicMirror
      Icon for Altostratus rankAltostratus
      May 05, 2015
      Yes, it would be considered an invalid session. Which causes the APM to start up a new session. But I don't want a new session; I just want the traffic dropped. Here's the specific scenario: there's a race condition in the latest Exchange CAS iApp for Exchange/OWA 2013. What happens is that oftentimes after you signout, and the APM removes your session, other browser threads will still be in the process of firing off a last HTTP request for content from OWA (the browser doesn't stop them instantly; they are not stopped until after your redirect to the hangup page is complete). In some cases, they don't submit the MRHSession cookie because the hangup page erases it, but they are still in flight in the browser thread and still get fired off at the last second. When they hit the APM, the APM sees that session no longer exists, so it starts a new one. It also records the URL they requested (often a javascript file or some other such) in a session variable so that it can redirect to that after the user finishes logging in. This is all background stuff the user doesn't see. But then, if the user hits the "start new session" link on the hangup page, they will get an error saying a session is already in progress, and they will get sent to the APM login page to complete authentication. After they complete authentication, they will get redirected to a javascript resource rather than the OWA homepage, because that earlier late breaking request for a resource created a new session and set the redirect variable to that resource. This breaks the OWA app for that user. So I need to be able to look things up by the 8 digit ID in an iRule so that I can discard the traffic before it creates a new session, because in some cases that 8 digit ID is literally the only thing I have that could distinguish valid traffic from invalid traffic.
  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus
    May 05, 2015

    Have you tried extending the "

    Logout URI Timeout
    " to longer duration?

    May 5 23:35:00 bigip6 notice tmm[11855]: 01490518:5: 8ecddd3a: Session will be deleted in 60 secs due to user logout request.

     

    May 5 23:36:22 bigip6 notice tmm[11855]: 01490501:5: 8ecddd3a: Session deleted due to user logout request.
  • brad_11480's avatar
    brad_11480
    Icon for Nimbostratus rankNimbostratus
    Jun 06, 2017

    just put 24 characters in front of the 8 and it will be just fine.