jsessionid uri vs. cookie

Question

I am using the following rule to persist via jsessionId.&nbsp;
&nbsp;when CLIENT_ACCEPTED {
&nbsp;   set add_persist 1
&nbsp;}
&nbsp;when HTTP_RESPONSE {
&nbsp;  if { [HTTP::cookie exists "JID"] and $add_persist } {
&nbsp;    persist add uie [HTTP::cookie "JID"]
&nbsp;    set add_persist 0
&nbsp;  }
&nbsp;}&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp;  if { [HTTP::cookie exists "JID"] } {
&nbsp;    persist uie [HTTP::cookie "JID"]
&nbsp;  } else {
&nbsp;    set jsess [findstr [HTTP::uri] "jsessionid" 11 "?"]
&nbsp;    if { $jsess != "" } {
&nbsp;      persist uie $jsess
&nbsp;     }
&nbsp;   }
&nbsp;}&nbsp;
&nbsp;But my application passes sessionId in the URI with every request so the following should work, with no response.&nbsp;
&nbsp;when HTTP_REQUEST {
&nbsp;    set jsess [findstr [HTTP::uri] "jsessionid" 11 "?"]
&nbsp;    if { $jsess != "" } {
&nbsp;      persist uie $jsess
&nbsp;    }
&nbsp;}&nbsp;
&nbsp;This works, if the browser set to block cookies.  If it allows cookies the persistence fails?  Does BIG-IP look for the cookie, if cookies are enables?  Or Am I missing something here.  I would love to eliminate cookies 100 percent and just pull from the URI.
&nbsp;Any help would be appreciated.&nbsp;
&nbsp;Eric&nbsp;&nbsp;&nbsp;

colin_walker_12 · Answer

There's no reason that this rule:
when HTTP_REQUEST {
  set jsess [findstr [HTTP::uri] "jsessionid" 11 "?"]
  if { $jsess != "" } {
    persist uie $jsess
  }
}
would be looking for cookies. Is that the version you're using?
Colin

unruley_95363 · Answer

In order for jsessionid persistence to work, you need to find the jsessionid in the first response and add a persistence record for it. The only challenge to not using cookies is looking/parsing for the persist key in the first responses body from the server.  Cookies are easy since they are headers and we have commands to access them directly.  You will need to collect the response and parse it for the jsessionid, so you can add the initial key to the table.

mohamed_lrhazi · Answer

Yes! No one seems to mention this key fact... even this solution document... erroneously suggests you dont need to find the actually session ID in the first response: http://support.f5.com/kb/en-us/solutions/public/7000/300/sol7392.html

Forum Discussion

jsessionid uri vs. cookie

3 Replies

Recent Discussions

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Port Group on F5OS network setting

Related Content

Decoding the IPv4 address from the persistence cookie

Weblogic JSessionID Persistence for Session Replication

Re: SYN Cookie operation

1. SYN Cookie: Intro

Re: LTM SYN Cookie Configuration