Forum Discussion

JP88730K_296639's avatar
JP88730K_296639
Icon for Nimbostratus rankNimbostratus
Oct 25, 2016
Solved

APM Session Visibility across VIPs

What is the best way to establish session visibility across multiple APM sessions without a SSO configuration or a persistent cookie? My site hosts projects which have multiple virtual servers. We us...
application delivery
BIG-IP Access Policy Manager (APM)
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Oct 25, 2016

    The browser must simply include the cookie in the request to be associated with the session. RFC 6265 defines exactly how this works, if you aren't familiar with it. The wikipedia article on HTTP cookies is also very good.

     

    Customers usually choose one of the following options to share the cookie across multiple vips/hostnames:

     

    1. Set the cookie domain to be wide like ".company.com" so that the cookie will be transmitted to *.company.com.

       

    2. Use APM's multi-domain mode so that when APM gets a request without a cookie, it will "check with" the domain set as the primary-authentication URI to see if it's been set. This happens by using some 302 redirects between the hostanmes/vips.

       

    For either of these options, make sure the session scope is set appropriately.

     

Lucas_Thompson_'s avatar
Lucas_Thompson_
Historic F5 Account

The browser must simply include the cookie in the request to be associated with the session. RFC 6265 defines exactly how this works, if you aren't familiar with it. The wikipedia article on HTTP cookies is also very good.

 

Customers usually choose one of the following options to share the cookie across multiple vips/hostnames:

 

  1. Set the cookie domain to be wide like ".company.com" so that the cookie will be transmitted to *.company.com.

     

  2. Use APM's multi-domain mode so that when APM gets a request without a cookie, it will "check with" the domain set as the primary-authentication URI to see if it's been set. This happens by using some 302 redirects between the hostanmes/vips.

     

For either of these options, make sure the session scope is set appropriately.

 

JP88730K_296639's avatar
JP88730K_296639
Icon for Nimbostratus rankNimbostratus
Oct 25, 2016

So if I go with the first option and set a domain wide cookie, can it's existence be queried in APM?

 

expr {HTTP::cookie exists *.company.com} to Allow

 

fallback to EULA prompt