Forum Discussion

F5Apprentice112's avatar
F5Apprentice112
Icon for Nimbostratus rankNimbostratus
Mar 10, 2017

How to maintain Cookie persistence across web application with multiple ports (i.e. 80, 8443)

We have an F5 LB. There are two back-end servers that sit behind it. SSL termination is at the LB. Mapping to the back-end servers is 443 to 80, 80 to 80, and 8443 to 8443. That is, on the back-end servers, we have ports 80 and 8443 open.

 

The LB was first setup with source IP persistence. We just moved to Cookie persistence to alleviate some issues with IP addresses switching mid-session and the like. The cookie persistence is session cookie, meaning no expiry and the cookie should expire when the user closes the browser. The cookie is also encrypted with a passphrase to comply with security practices (not sure why F5 would set the cookie value to some obfuscated value that maps to the back-end server IP and port, since that is apparently not very difficult to un-obfuscate).

 

In testing the web application behind the LB, everything seemed to be OK. Then, we got a report from users with a particular piece in the web application, which loads pages over multiple ports (i.e. 80, 8443). What I see happening is, whether the request first starts with 80 or 8443, the LB cookie value is being generated again when the page is requested from the other port. It doesn't happen 100% but it happens frequently. Then the application reports that the application session is invalid.

 

My guess is even if the cookie value changes, if it happens to hit the same back-end server, there will be no issue. However, if the request happens to hit the other back-end server, the web application will see the request as a new application session and, thus, report that the application session is invalid. What I think what might fix it is maintaining the cookie persistence across the multiple ports we have configured (i.e. 80, 8443).

 

The problem is I'm not quite sure how to do that. That's why I'm here, to ask people who are smarter than me and more experienced and may know some solutions that would work.

 

I would prefer to keep using HTTP Cookie Insert method, although I understand cookie hash does have options similar to source ip persistence such as match across virtual servers and the like. I don't know how much that would help me here, if at all.

 

Can I use an iRule? If so, what might that look like? Maybe an iRule that checks if there is an existing LB cookie and if the request is coming from 80 but going to 8443 or vice-versa, then insert the cookie into said request such that no new cookie is generated and the same cookie is shared across port 80 and port 8443. Sounds good in theory but I'm not even sure of the first place to start to even attempt it.

 

I hope what I'm asking is clear. If it isn't, please feel free to ask me to clarify. I want to maintain the LB cookie across multiple ports.

 

Example: User goes to testsite.com/index.html. LB generates a cookie with value 1234. User is sent to back-end server 1. User then goes to testsite.com:8443/index2.html. LB will generate a new cookie with a different value--let's say it's 5678--and it may send the user to back-end server 1 or 2. If it goes to 1, the web app should be OK. If the request goes to 2, the web app will complain because the web app session is on 1. I want testsite.com and testsite.com:8443 to both have the same exact cookie, which, in this example, would be 1234.

 

Does that make sense? Any help would be appreciated. Thank you in advance.

 

2 Replies

  • This may work:

            ltm rule badsoftware {
        when CLIENT_ACCEPTED {
      if { [IP::port [IP::client_port] equals 80] } {
        switch [TCP::client_port] {
          x {
            node server_80
            persist cookie cookie5678
          }
          default {
             Sends traffic to server5678
          }
        }
      } elseif { [IP::port [IP::client_port] equals 1234] } {
        switch [TCP::client_port] {
          x {
            node node1234
            persistence cookie cookie1234
          }
          default {
             maintain cookie persiste
          }
        }
      } else {
         Do Nothing special, just serve traffic
      }
    }
    }
    
  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus

    I'd go back to source address affinity persistence with the vs option of MATCH ACROSS SERVICES configured. You need to a configure a sufficiently long timeout value for the user session.