Forum Discussion

THASIN's avatar
THASIN
Icon for Nimbostratus rankNimbostratus
May 02, 2012

http to https cookie persistence

Hi ALL,

 

 

Creating persistence record based on IP address using custom made irule as specified in the link below, Is there any randomness or variance or uniqueness in the persistence record. input to MD5 or SHA 1 is IP address it can be same for two different clients hitting the same node for the first time. Shall we consider to add randomness in the persistence record? or is it ok.

 

 

 

Please comment

 

 

 

https://devcentral.f5.com/wiki/iRul...tence.ashx

 

 

 

Regards

 

Insitha

 

7 Replies

  • Hi Thasin,

    As the cookie value is just used to persist clients to the same pool member, you actually want it to be specific to the pool member, not the client session. This is more efficient for TMM as there are fewer records to store in memory.

    Here's an updated version of the Codeshare iRule which uses a lighterweight CRC32 checksum.

    If you're on 11.x you can use this version:

    
    rule cookie_persist_http_plus_s {
     Check if there is a cookie and use persistence table
     if the entry does not exist, loadbalance and create record
    when HTTP_REQUEST {
        if { [HTTP::cookie value "bIPs"] ne "" } {
            persist uie [HTTP::cookie value "bIPs"]
            set need_cookie 0
        } else {
            set need_cookie 1
        }
    }
    when PERSIST_DOWN {
         This event will only work in 11.0+. 
         Ask F5 Support for details on BZ225436 for details.
         Server that UIE peristence pointed to was down
        set need_cookie 1
    }
     Calculate CRC32 checksum of the server's IP
     and store it as a cookie and create persistence record
    when HTTP_RESPONSE {
        if { $need_cookie } {
            HTTP::cookie insert name "bIPs" value [crc32 [IP::server_addr]] path "/"
            persist add uie [HTTP::cookie value "bIPs"]
        }
    }
    }

    v10.x version which sets the cookie on every response

    
    rule cookie_persist_http_plus_s {
     Check if there is a cookie and use persistence table
     if the entry does not exist, loadbalance and create record
    when HTTP_REQUEST {
        if { [HTTP::cookie value "bIPs"] ne "" } {
            persist uie [HTTP::cookie value "bIPs"]
        }
    }
     Calculate CRC32 checksum of the server's IP
     and store it as a cookie and create persistence record
    when HTTP_RESPONSE {
        HTTP::cookie insert name "bIPs" value [crc32 [IP::server_addr]] path "/"
        persist add uie [HTTP::cookie value "bIPs"]
    }
    }

    Aaron
  • Also, you can open a case with F5 Support to request F5 support persistence across virtuals/services/pools for cookie insert persistence referencing BZ273815.

     

     

    Aaron
  • Hi Aaron,

     

     

     

    As per my understanding crc32 [IP::server_addr] will always give same value for a given string/ip.

     

    What if you need to timeout the session after idle timeout of 10 min?

     

     

     

    You have 2 members in a pool and 6 users.

     

     

     

    Asume that crc32 value for membes is as follows

     

    member 1 value is 3079cfbf

     

    member 2 value is 1b549c7c

     

     

     

    user -> member

     

    1 -> 1

     

    2 -> 2

     

    3 -> 1

     

    4 -> 2

     

    5 -> 1

     

    6 -> 2

     

     

     

    As per above users 1, 3 and 5 will go to member 1 and users 2, 4 and 6 will go to member 2. With respect to this, user 1, 2 and 3 will get their cookie value as 3079cfbf and user 2, 4 and 6 will get 1b549c7c.

     

     

     

    As of start all the usres are accessing the site, after a while user 1 having session id as 3079cfbf stops accessing but leaves the browser open. mean while user 3 and 5 having session id as 3079cfbf keep accessing the site. After 15 min user 1 retruns back. In this case having the browser open the session remains same so it will not timeout.

     

     

     

    How to handle such a situation?

     

     

     

     

     

    Mairo

     

     

     

  • Hi Mario,

     

     

    The behavior that you are describing is the default behavior of the F5 injected cookie. It is a Session Cookie that lives for the session of the browser, not the Application Session.

     

     

    So until the user closes the browser the server affinity to server selected upon the initial connection (and stored in the F5 Session Cookie), the user will be persisted to the same server.

     

     

    Hope this helps.

     

     

  • This is just for persistence. You want to ensure the persistence record is maintained for at least as long as the user's session. But there shouldn't be any downside to having the persistence record there for longer than a user's session. As you only have one persistence record per pool member, they could stay in the persistence table indefinitely with almost no impact on BIG-IP memory.

     

     

    Aaron
  • Hi Arron,

     

     

    I have modified the iRule for our application timeout.

     

     

     

    ====================================================================

     

    when HTTP_REQUEST {

     

     

     

    This logs information about the TCP connections on *both* sides of the full proxy

     

    set client_remote "[IP::client_addr]:[TCP::client_port]"

     

    set client_local "[IP::local_addr clientside]:[TCP::local_port clientside]"

     

     

     

    Log details for the request

     

    log local0. "| REQ | $client_remote | $client_local | server_local | server_remote | [HTTP::cookie value ISASESSIONID] | [HTTP::uri]"

     

     

     

    if { [HTTP::cookie exists "ISASESSIONID"] } {

     

    persist uie [HTTP::cookie value "ISASESSIONID"]

     

    }

     

    }

     

     

     

     

    when HTTP_RESPONSE {

     

     

     

    set server_remote "[IP::server_addr]:[TCP::server_port]"

     

    set server_local "[IP::local_addr serverside]:[TCP::local_port serverside]"

     

     

     

    if { ![HTTP::cookie exists "ISASESSIONID"] } {

     

     

     

    if { [HTTP::cookie "JSESSIONID"] ne "" } {

     

    set newCookie [HTTP::cookie value JSESSIONID]

     

    HTTP::cookie insert name "ISASESSIONID" value $newCookie path /

     

    persist add uie [HTTP::cookie value "ISASESSIONID"]

     

    }

     

    }

     

    log local0. "| RES | $client_remote | $client_local | $server_local | $server_remote | [HTTP::cookie value ISASESSIONID]"

     

    }

     

     

     

     

    ====================================================================

     

     

     

    I use the original weblogin irule from devcentral for jsessionid but it dint work when maintaining persistence from http to https switch.

     

     

     

    Actually I am new to iRule. If you can help me to optimise the above irule except the log entry will be great.

     

     

     

     

     

  • Hi Mario,

     

     

    Can you create a new post and add detail on your overall scenario and what you're trying to accomplish? Do you have an HTTP and an HTTPS virtual server on the same domain name? Do you want to persist clients across HTTP and HTTPS with cookies?

     

     

    Thanks, Aaron