Session persistence - reading application set cookie

Hi,

We have out-sourced some developers who have written an application in their development load balanced environment however I do not think they use F5.

Now the application has been deployed to our pre-production environment and it doesn't work. This is related to the fact that after a form submission, the app sends an HTTP 302 which has the effect of starting a new session, the request hits another web server in the pool and the app breaks. We have cookie persistence and source address affinity configured for the vip.

Now the developers are adamant that our LTM should be able to read the cookie that is set by the application so that it ensures the sessions remain on the correct servers.

In the 302 the following cookie is set:

~~Set-Cookie: AUTHTOKEN=jl0fvjb5xrnj40l4qybi55lh; path=/; secure; HttpOnly~~

However I am not aware of any way that the LTM can interpret this in order to direct traffic to the appropriate server.

We've asked the developers to go back and re-code the application but given their reluctance to do so and time constraints in releasing the product I think an F5 solution would be quicker.

Any advice would be greatly appreciated.

Thanks

Lee

config

design

11 Replies

nathe
Cirrocumulus
Jul 16, 2012
Lee,

The LTM can indeed inspect the cookie in the response and persist accordingly, using Universal Persitence. See askf5 post:

http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7392.html

Hope this helps,

N
Lee_Sutcliffe
Nacreous
Jul 16, 2012
Thanks Nathan that looks like just the thing I'm after.

I'll give it a whirl and see if I can get it to work.

Cheers

Lee
Lee_Sutcliffe
Nacreous
Jul 16, 2012
I've added the following iRule (there is existing code which directs traffic to different pools depending on the uri. To keep things simple I've removed these parts of the code)

However I get a TLC error:

TCL error: qa_xxx_rule - wrong args: should be "persist add uie | { [any [virtual|service|pool] | pool ]}" while executing "persist add uie [HTTP::cookie "AUTHTOKEN"]"

when HTTP_REQUEST {

if { [string tolower [HTTP::uri]] equals "uriString" } {

if { [HTTP::cookie exists "AUTHTOKEN"] } {

persist uie [HTTP::cookie "AUTHTOKEN"]

use pool xxx-pool

}

}

}

when HTTP_RESPONSE {

if { [HTTP::cookie exists "AUTHTOKEN"] } {

persist add uie [HTTP::cookie "AUTHTOKEN"]

}

}
nathe
Cirrocumulus
Jul 16, 2012
Lee,

See this post:

https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/39/aft/33490/showtab/groupforums/Default.aspx

Hoolio suggested this error was because the cookie returned no value.

See if that post helps

N
Lee_Sutcliffe
Nacreous
Jul 16, 2012
Hi Nathan,

I saw the same post and yes, got similar results in the log output however when I examine the request headers there is a string associated with the cookie

Cookie: AUTHTOKEN=5tl25i4mbghhwz5sruhqcc2j
nathe
Cirrocumulus
Jul 16, 2012
Lee

Not entirely sure on this one then. It seems the f5 cannot read the cookie value.

Not sure if this is the "fix" but doing some checks on universal persistence it's recommended to have a OneConnect profile too. Worth a try.

Rgds

N
nitass
Employee
Jul 16, 2012
Cookie: AUTHTOKEN=5tl25i4mbghhwz5sruhqcc2ji think it should be set-cookie rather than just cookie since persist add uie is in HTTP_RESPONSE event.
nathe
Cirrocumulus
Jul 16, 2012
Lee

The example on F5's website has the Response event first, then the Request. May be worth a try. It makes sense that it should be this way round.

N
Lee_Sutcliffe
Nacreous
Jul 17, 2012
Hi, sorry for my late reply, it's been one of those days!

I've amended the rule so the response is first but still no joy

when HTTP_RESPONSE {

if { [HTTP::cookie exists "AUTHTOKEN"] } {

persist add uie [HTTP::cookie "AUTHTOKEN"]

}

}

when HTTP_REQUEST {

if { [string tolower [HTTP::uri]] equals "xxx" } {

if { [HTTP::cookie exists "AUTHTOKEN"] } {

persist uie [HTTP::cookie "AUTHTOKEN"]

use pool QA_xxx-pool

}

}

}

receive the same error in the ltm log:

Jul 17 21:39:24 local/tmm1 err tmm1[5129]: 01220001:3: TCL error: threeSixtyOnline_rule - wrong args: should be "persist add uie | { [any [virtual|service|pool] | pool ]}" while executing "persist add uie [HTTP::cookie "AUTHTOKEN"]"
Lee_Sutcliffe
Nacreous
Jul 17, 2012
I've re-enabled all 6 servers in the pool and tried the following irule, copied from Hoolio's post in https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/39/aft/33490/showtab/groupforums/Default.aspx

This seems to be working but to be honest irules aren't my strong point and I dont know why it's working.

Is anyone able to give a break down

of the following, in particular what the set lbsicap section does

when HTTP_REQUEST {

cookie length is greater than 0

if { [string length [HTTP::cookie "AUTHTOKEN"]] > 0 } {

persist uie [HTTP::cookie "AUTHTOKEN"]

} else {

set lbsicap [findstr [HTTP::uri] "AUTHTOKEN" 11 ";"]

if { $lbsicap != "" } {

persist uie $lbsicap

}

}

}

when HTTP_RESPONSE {

if { [string length [HTTP::cookie "AUTHTOKEN"]] > 0} {

persist add uie [HTTP::cookie "AUTHTOKEN"]

}

}

Thanks