Forum Discussion

SysTopher's avatar
SysTopher
Icon for Nimbostratus rankNimbostratus
May 25, 2016

Separate domain cookie for different apps

Hey everyone,

 

I have an application that requires two VIPs to be able to authenticate users. Users sign into an F5 logon page and the F5 does a form post to an application. On success, this application then redirects the users to an second VIP that has the same access policy applied to it.

 

To avoid the user getting a login prompt on the second VIP since they're already authenticated, I have configured a domain cookie in the APM policy. This works great except that I have 6 different environments that use this same setup. One VIP redirects to a second VIP. Each of these environments has it's own access policy.

 

The problem I'm running into is that if someone accesses one environment successfully and then goes on to access a different environment, I want them to get a logon prompt again when accessing each environment. I only want the cookie to keep a session between the two VIPs that share the same access policy.

 

Anyone know how this might be possible? Instead of using a "domain" cookie, can I somehow generate a policy cookie?

 

APM
application delivery
LTM

1 Reply

Sort By
  • Arnaud_Lemaire's avatar
    Arnaud_Lemaire
    Icon for Employee rankEmployee
    May 25, 2016

    you have a new option for policy in V12 : Profile Scope

     

    This setting prevents a malicious user from establishing a session using one virtual server, and then using that same session to access, potentially without further authentication, another virtual server and the resources behind it.

     

    Profile Gives a user access only to resources that are behind the same access profile. This is the default value.

     

    Virtual Server Gives a user access only to resources that are behind the same virtual server.

     

    Global Gives a user access to resources behind any access profile that has global scope

     

    If you are in a version below maybe you can use sso multi domain support with cookies restricted to host name.