Forum Discussion

Rabbit23_116296's avatar
Rabbit23_116296
Icon for Nimbostratus rankNimbostratus
Jun 25, 2015

Share access cookie

So I have a webtop that has all the portal resources/webtop links and SAML resources working just fine. The virtual of course, needs a rewrite profile for the portal resources. This is called for arguments sake, webtop.company.com

What I do want however, if for the links / access to these sites to work exactly the same. i.e. the relative URI's must stay in tact and one access policy must control access to all *.company.com sites. What I find is that if the session.server.network.name / [HTTP::host] changes, it insists on creating a new access policy session. I want to stop this.

I have got this to work for a a non-webtop APM enabled virtual with an access policy that has a .company.com single domain cookie that sends say websitea.company.com to a pool with various settings. If i logged in to the persists across all the services. Really happy and this is what I want but what I am trying to do is get this to work on the same virtual as the webtop. Is what I'm trying to do possible? What I want is that if someone already has an APM session, they will go directly to the full HTTP link of a specific site.

Here's the irule on the non-webtop virtual that works a treat:

when ACCESS_ACL_ALLOWED {
    log local0.notice "WHEN ACCESS_ACL_ALLOWED: [HTTP::host] URI: [HTTP::uri]"
       switch -glob [string tolower [HTTP::host]] {
        "jira.company.com" {
            log local0.notice "jira found papa HOST: [HTTP::host] URI: [HTTP::uri]"
            COMPRESS::disable
            set http_path [HTTP::path]
            pool /CorpWeb/jira.company.com_int.app/jira.company.com_int_pool
            WEBSSO::select /SSO/sso-basic
            switch -glob [string tolower [HTTP::uri]] {
                "/" {
                    if {[HTTP::method] equals "GET"} {
                     log local0.notice "In Jira root and the method is a [HTTP::method] : [HTTP::host] with URI [HTTP::uri]"
                     HTTP::uri "/jira/secure/Dashboard.jspa?os_authType=basic"

                    }
                   log local0.notice "original path    
            }   
            }  
        }
        "wiki.company.com" {
             pool /CorpWeb/wiki.company.com_int.app/wiki.company.com_int_pool
             WEBSSO::select /SSO/wiki-forms
        }
         "office.company.com" {
             pool /SSO/apm.office.company.com.app/apm.office.company.com_pool
             WEBSSO::select /SSO/sso-basic
        }


        default {
            default_pool
            WEBSSO::disable
        }
    }
}
  • so with this irule, service wiki, office and jira will go directly through with the .company.com domain cookie. How can i get this to work on the same virtual/listener that has the webtop configured is what i'm asking?
  • so with this irule, service wiki, office and jira will go directly through with the .company.com domain cookie. How can i get this to work on the same virtual/listener that has the webtop configured is what i'm asking?
  • did you configure cookie domain of Access policy with company.com????

     

    the session cookie will be sent to user with domain company.com and the browser will send it for every URL of domain company.com

     

    the other solution is to user multiple domain cookie.

     

  • kunjan's avatar
    kunjan
    Icon for Nimbostratus rankNimbostratus

    Have you tried setting cookie name "company.com" in the AP configuration ? that will share the cookie across.

     

    • Rabbit23_116296's avatar
      Rabbit23_116296
      Icon for Nimbostratus rankNimbostratus
      yes i've set it as ".company.com" - problem is when I try to access another virtual server (different access policy too), then F5 gets nasty and rejects the session because of an invalid session ID.
  • Have you tried setting cookie name "company.com" in the AP configuration ? that will share the cookie across.

     

    • Rabbit23_116296's avatar
      Rabbit23_116296
      Icon for Nimbostratus rankNimbostratus
      yes i've set it as ".company.com" - problem is when I try to access another virtual server (different access policy too), then F5 gets nasty and rejects the session because of an invalid session ID.
  • in multi domain configuration, you can specify either hosts or domain cookies.

     

    You can specify a cookie for a.company.com and b.company.com.