I have been working with the codeshare for HTTP Session Limit on http://devcentral.f5.com/wiki/default.aspx/iRules/HTTPSessionLimit.html but I am not having any luck. Does anyone know how to add some additional logging, perhaps each time the rule is hit it logs the current active connections or when it checks for the cookie? I am using cookie insert generating the cookie from the LTM, I assume that this rule will work with this persistence as well? Appreciate any feedback. -L

Thanks for the debug lines, I was playing around and got real close, bu you closed the loop for me. I have my max_active_clients set low (5 to 10) to test the redirect..what I see is if I set it too low, all the images don't load, as those are subsequent HTTP connections, but I should have a cookie so why is it not loading them? I also see this in the log from time to time Sep 6 15:02:11 tmm tmm[22188]: 01220001:3: TCL error: Rule rule_http-session-limit-3 - Operation not supported. Multiple redirect/respond invocations not allowed (line 1) invoked from within "HTTP::redirect "http://sorry.domain.com/"" Sep 6 15:02:11 tmm tmm[22188]: 01220001:3: TCL error: Rule rule_http-session-limit-3 - can't read "client_id": no such variable while executing "log local0. "client [IP::client_addr] closing connection with cookie $client_id -> $uri, count: $: :total_active_clients"" Any ideas? -L

here is some more debug info for the complete page load and close. I have my max set to 15, it appears that my session is getting several cookies, sometimes it lets me in other times it redirects HTTP_REQUEST>: client 10.2.47.82 with no cookie, under connection limit -> /, count: 11 : client 10.2.47.82 with no cookie, under connection limit -> /path/search.gif, count: 12 : client 10.2.47.82 inserting cookie: 82050019 : client 10.2.47.82 with no cookie, under connection limit -> /path/logo.gif, count: 13 : client 10.2.47.82 inserting cookie: 14673727 : client 10.2.47.82 with cookie 82050019 -> /path/images/menu.gif, count: 13 : client 10.2.47.82 with no cookie, under connection limit -> /images/123.gif, count: 14 : client 10.2.47.82 with cookie 82050019 -> /path/images/icons/cart.gif, count: 14 : client 10.2.47.82 inserting cookie: 21333030 : client 10.2.47.82 with no cookie, under connection limit -> /path/common/icons/a.gif, count: 15 : client 10.2.47.82 inserting cookie: 44244085 : client 10.2.47.82 with cookie 82050019 -> /portal/images/divider.gif, count: 15 : client 10.2.47.82 with no cookie over limit, redirected -> /Static/images/portals/products/a.jpg, count: 15 : client 10.2.47.82 with no cookie over limit, redirected -> /Static/images/portals/products/b.jpg, count: 15 : client 10.2.47.82 with no cookie over limit, redirected -> /Static/images/portals/products/c.jpg, count: 15 : client 10.2.47.82 with no cookie over limit, redirected -> /Static/images/portals/products/d.jpg, count: 15 : client 10.2.47.82 with no cookie over limit, redirected -> /Static/images/portals/products/e.jpg, count: 15 : client 10.2.47.82 with cookie 44244085 -> /Static/images/common/icons/plus.gif, count: 15 : client 10.2.47.82 with cookie 44244085 -> /Static/images/common/icons/e.gif, count: 15 : client 10.2.47.82 with cookie 44244085 -> /Static/images/common/icons/p.gif, count: 15 : client 10.2.47.82 with cookie 82050019 -> /path/portal/images/icons/c.gif, count: 15 : client 10.2.47.82 with cookie 44244085 -> /Static/images/common/icons/r.gif, count: 15 : client 10.2.47.82 with no cookie over limit, redirected -> /Static/images/common/c/divider.gif, count: 15 : client 10.2.47.82 with no cookie over limit, redirected -> /path/web/Portal/US/All/Products, count: 15 : client 10.2.47.82 closing connection with cookie 44244085 -> /Static/images/common/c/divider.gif, count: 14 : client 10.2.47.82 closing connection with cookie 82050019 -> /path/portal/images/icons/c.gif, count: 13 : client 10.2.47.82 closing connection with cookie 44244085 -> /Static/images/common/icons/r.gif, count: 12 : client 10.2.47.82 closing connection with cookie 44244085 -> /path/web/Portal/US/All//Products, count: 11

Does anyone have any thoughts here...from what the log gives me, it looks like there are multiple cookies being issued to a single client. The log was generated by a single session. It makes sense that the logic in the rule is looking at all the cookies, but I need to be able to limit the cookie generation, 1 per client browser....please help if you can, this functionality has become more necessary with our production site. Regards -L

It looks like the client is making multiple requests before getting back the initial response containing the set-cookie header. This could either be pipelined on the same TCP connection or separate TCP connections. Also, from this snippet of the log output, it seems that the client isn't always presenting the cookie even after it's been set: : client 10.2.47.82 with cookie 44244085 -> /Static/images/common/icons/r.gif, count: 15 : client 10.2.47.82 with no cookie over limit, redirected -> /Static/images/common/c/divider.gif, count: 15 You could get a bit more detail by logging the client TCP port [TCP::client_port] and the number of requests a client has made on the same TCP connection [HTTP::request_num]. You might also try using an interception proxy or browser plugin to record when the cookies are received and when they are sent. Are the requests going through a proxy server, or is this truly one client making requests? If the client is making multiple requests over the same TCP connection, you could not increment the counter and send back the same ClientID. This might work to ignore subsequent requests on the same TCP connection: if {[HTTP::cookie exists "ClientID"] or [HTTP::request_num] > 1 } { If the client is opening concurrent TCP connections, I'm not sure how best to handle it. One option might be to use the session table to track the requests per client IP. This would add memory overhead compared with using cookies though--and would be specific to the IP address as opposed to the browser. Anyone else have ideas on how best to handle this? Aaron

HTTP connection limit + cookie insert from BigIP

17 Replies

hooleylist

Cirrostratus

Sep 13, 2007

Thinking over this again... when the client starts a session they should request a document. They shouldn't actually be making any subsequent requests until they get back the HTTP data from the first request, as that HTTP data is what contains references to images and other files. So as long as the rule sets the ClientID cookie in that first response and the client continues to present the session cookie for every request, the rule should work as expected, regardless of whether the client uses persistent TCP connections or pipelining over the same TCP connection.

Can you test with this version of the original rule which does not ignore subsequent requests over the same TCP connection? It has additional logging of the client port, the HTTP version and the Cookie header in requests. 9.2.x doesn't have the ability to access multiple values for the same cookie name. So logging the entire Cookie line will show when multiple instances of the same cookie are present in the request.

It might also be helpful to capture a binary formatted tcpdump if you encounter a failure. You can use syntax like the following to do so:

tcpdump -ni 0.0 -s0 -w/var/tmp/session.dmp host VIP_IP or host NODE_IP

If you have multiple nodes in the pool, add them to the end of the filter string with more 'or host NODE_IP' tokens.

Here's the rule with more debug logging. Make sure to clear your browser's cookies before testing. It may also be helpful to test with multiple browser types.


when RULE_INIT {
   set ::debug 1
   set ::total_active_clients 0
   set ::max_active_clients 15
   set ::tcp_conn_counter 0
   log local0. "rule session_limit initialized: total/max: $::total_active_clients/$::max_active_clients"
}
when CLIENT_ACCEPTED {
incr ::tcp_conn_counter
}
when HTTP_REQUEST {
      
   if {$::debug}{ set uri [HTTP::uri]}
   ; test cookie presence
   if {[HTTP::cookie exists "ClientID"]} {
      set need_cookie 0
      set client_id [HTTP::cookie "ClientID"]
      if {$::debug}{ log local0. " \[$::tcp_conn_counter.[HTTP::request_num]\] client [IP::client_addr]:[TCP::client_port] (v[HTTP::version])\
     with cookie $client_id -> $uri, count: $::total_active_clients"}
      if {$::debug}{ log local0. " \[$::tcp_conn_counter.[HTTP::request_num]\] |----------------------> [HTTP::header value Cookie]"}
  
   ; if cookie not present & connection limit not reached, set up client_id
   } else {
      if {$::total_active_clients < $::max_active_clients} {
         set need_cookie 1
         set client_id [format "%08d" [expr { int(100000000 * rand()) }]]
         incr ::total_active_clients
      if {$::debug}{ log local0. " \[$::tcp_conn_counter.[HTTP::request_num]\] client [IP::client_addr]:[TCP::client_port]\
         (v[HTTP::version]) with no cookie, under connection limit -> $uri, count: $::total_active_clients"}
      ; otherwise redirect
      } else {
         if {$::debug}{ log local0. " \[$::tcp_conn_counter.[HTTP::request_num]\] client [IP::client_addr]:[TCP::client_port]\
            (v[HTTP::version]) with no cookie over limit, redirected  -> $uri, count: $::total_active_clients"}
         HTTP::redirect "http://sorry.domain.com/"
         return
      }
   }
}
when HTTP_RESPONSE {
   ; insert cookie if needed
   if {$need_cookie == 1} {
      if {$::debug}{ log local0. "\[$::tcp_conn_counter.[HTTP::request_num]\] client [IP::client_addr]:[TCP::client_port]\
         (v[HTTP::version]) inserting cookie: $client_id"}
      HTTP::cookie insert name "ClientID" value $client_id
   }
}
when CLIENT_CLOSED {
   ; decrement current connection counter for this client_id
   if {$::total_active_clients > 0} {
      incr ::total_active_clients -1
      if {$::debug}{ log local0. "\[$::tcp_conn_counter\] client [IP::client_addr]:[TCP::client_port]\
     closing connection with cookie $client_id -> $uri, count: $::total_active_clients"}
  }
}

Hope this helps...

Aaron

Leslie_South_55
Nimbostratus
Sep 14, 2007
used new rule, max set to 5, here are the results

Rule : rule session_limit initialized: total/max: 0/5

Rule rule_http-session-6 : [1.1] client 10.20.47.82:1642 (v1.1) with no cookie, under connection limit -> /, count: 1

Rule rule_http-session-6 : [1.1] client 10.20.47.82:1642 (v1.1) with no cookie, under connection limit -> /Library/e/web/Portal/en_US/offers.workflow:ShowPromo?LandingPage=/All/US/Products, count: 2

Rule rule_http-session-6 : [1.1] client 10.20.47.82:1642 (v1.1) inserting cookie: 83348434

Rule rule_http-session-6 : [1.2] client 10.20.47.82:1642 (v1.1) with no cookie, under connection limit -> /Library/skins/style_sheet_core.css, count: 3

Rule rule_http-session-6 : [1.2] client 10.20.47.82:1642 (v1.1) inserting cookie: 37131661

Rule rule_http-session-6 : [1.3] client 10.20.47.82:1642 (v1.1) with no cookie, under connection limit -> /Library/js/common/Message.js, count: 4

Rule rule_http-session-6 : [1.3] client 10.20.47.82:1642 (v1.1) inserting cookie: 71842209

Rule rule_http-session-6 : [1.4] client 10.20.47.82:1642 (v1.1) with no cookie, under connection limit -> /Library/portal/images/logo.gif, count: 5

Rule rule_http-session-6 : [1.4] client 10.20.47.82:1642 (v1.1) inserting cookie: 52011422

Rule rule_http-session-6 : [2.1] client 10.20.47.82:1643 (v1.1) with no cookie over limit, redirected -> /Library/portal/images/v16.gif, count: 5

Rule rule_http-session-6 : [2.5] client 10.20.47.82:1642 (v1.1) with no cookie over limit, redirected -> /Static/images/products_page/124.jpg, count: 5

Rule rule_http-session-6 : [2.1] client 10.20.47.82:1643 (v1.1) with no cookie over limit, redirected -> /Static/images/common/icons/plus.gif, count: 5

Rule rule_http-session-6 : [3.1] client 10.20.47.82:1647 (v1.1) with no cookie over limit, redirected -> /Static/images/common/css/divider.gif, count: 5

note the redirects, I have the HTTP::redirect on line 32 set to

HTTP::redirect "http://server.domain.com:88/"

so I am confused as to whey it shows a redirect to actual items on the page?

-L
hooleylist
Cirrostratus
Sep 17, 2007
The log entry is just printing out the URI the client requested. That's not the URI that the client is being redirected to.

I'm not sure why it's happening, but it looks like LTM is setting the cookie, but the client doesn't always present it in subsequent requests. I'm assuming the cookie is being set with no path or other options that would tell the client to not send the cookie. If that's the case it looks like an issue with the client. I'm not sure there is a perfect iRule fix. You could account for this by raising the global limit.

Anyone else have ideas on why a client would get a cookie, make another request after the cookie was set, but not include the cookie in that subsequent request? This seems to violate the protocol for cookie handling.

Aaron
hooleylist
Cirrostratus
Aug 07, 2008
Hi lsouth,

Did you ever test this further? I have a customer who is interested in similar functionality and wanted to find out if you took this any further.

Thanks,

Aaron
hooleylist
Cirrostratus
Aug 07, 2008
One other thing... in the current iteration of the rule, a new session is created and the total session count incremented on each HTTP request which doesn't already have a session cookie. The only time the total count is decremented is when the TCP connection is closed. So if there are multiple clients connecting over the same TCP connection (ie, coming in via a proxy), session leakage would occur. For proxied users, multiple sessions would be created, but only one session removed when the TCP connection is closed. To account for this, you'd have to count the number of new sessions created per TCP connection and then decrement the session count by this count in CLIENT_CLOSED.

Aaron
Leslie_South_55
Nimbostratus
Aug 07, 2008
we were not able to get this working, and I have not spent any additional cycles on it as the priority changed - imagine that :-)
brad_11480
Nimbostratus
Sep 25, 2017
This is an old thread, but lines up with other ones that seem to want to limit the number of sessions. The code seems to be looking at the number of connections and limiting that to a threshold. The problem is that many client browsers will generate multiple requests from different source ports and the application session will continue through a series of transactions, each of which will generate (and drop) connections with the server. To me the logic may redirect a user who is in the middle of an active server session if they happen to send a transaction at at time that the overall connection limit is exceeded.

Forum Discussion

HTTP connection limit + cookie insert from BigIP

17 Replies

Recent Discussions

F5Access | MacOS Sonoma

AS3 Deployments (shared objects)

Inquiry on F5's Maintenance Mode Feature for Pool Members

Ansible modules for F5OS

VPN fragmented IP packets dropped

Related Content

Security Headers Insertion

2. SYN Cookie: Operation

C3D and header insert

iRule header insert

Cookie Tampering Protection using F5 Distributed Cloud Platform