Forum Discussion

alex100_194614's avatar
alex100_194614
Icon for Nimbostratus rankNimbostratus
Feb 24, 2016

APM SSO Domain Cookie Issue

Hi all,

 

I am running into the issue with SSO domain cookie. Let's say we have several sites which all use SSO for single domain mycompany.com So, single sign on works fine between the sites which it's configured for: site1.mycompany.com, site2.mycompany.com and site3.mycompany.com. However, in the same domain we also have number of applications, for example mysite.mycompany.com which sit behind APM. When user is logged in to site1.mycompany.com and tries to access mysite.mycompany.com in new browser tab, he or she gets presented with error message informing that "Your session can not be established." Session reference number corresponding content of LastMRH_Session cookie is also displayed. So it seems like some session cookie clash resulting in broken session. Has anyone been able to find a work around it? Unfortunately, using different domains is not an option for me.

 

Thanks

 

APM
application delivery
broken session
domain cookie
SSO

1 Reply

Sort By
  • Josiah_39459's avatar
    Josiah_39459
    Historic F5 Account
    Feb 24, 2016

    Do you have the three hosts defined in the cookie's host list? Are they defined as hosts and not domains?

    If you have a domain cookie for mycompany.com, there's no way to prevent it from being sent to mysite.mycompany.com. However, you could add an irule to mysite.mycompany.com that detects whether an access session is started or not and ignores the cookie appropriately:

    --

    when HTTP_REQUEST {
  if { [HTTP::cookie exists "MRHSession"] && ([ACCESS::session exists -state_inprogress] || [ACCESS::session data get "session.policy.result"] == "not_started" ) && ! [string equal "[HTTP::uri]" "/my.policy"] } {
    log -noname accesscontrol.local1.err "$static::ACCESS_LOG_PREFIX [IP::remote_addr] access [HTTP::uri] with in_progress session, redirecting to logout URI"
    HTTP::close

     here you can do whatever you want, easiest option is to simply 302 user to logout URI to delete apm cookie and start over
    HTTP::respond 302 Location "/my.logout.php3"
  }
}