Re: Request for expertise on BMC Web login cookies
One problem with IP based solutions is that when part of your user base is behind a NAT, they all get directed to the same server. Never used the HTTP header method, but from what I'm reading, unless you have a situation that warrants an HTTP header, writing iRules is probably more work to implement. I've always opted for the Cookie Insert method because it doesn't care about reverse proxies, source IP address (NAT issue), and is easy to configure. My 2 cents. Axton Grams On Tue, Jul 24, 2012 at 2:23 PM, Ray Palla wrote: > ** ** > Thanks Axton; > > Perhaps the better question is: > > For sticky sessions what is the preferred (best practice) method: Cookies, > HTTP Header, IP Based Solutions? > > Opinions? > R > > -- > *From:* Action Request System discussion list(ARSList) [mailto: > arslist@ARSLIST.ORG] *On Behalf Of *Axton > *Sent:* Tuesday, July 24, 2012 1:59 PM > *To:* arslist@ARSLIST.ORG > *Subject:* Re: Request for expertise on BMC Web login cookies > > ** JSESSIONID will track each unique user session. Ideally, your load > balancer should create it's own cookie to track the session. This will be > the most reliable means of keeping the right user on the same mid-tier > server. The other have to do with keywords (GKW), etc. > > See http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html for > details on f5's implementation. > > Axton Grams > > On Tue, Jul 24, 2012 at 12:16 PM, Ray Palla wrote: > >> >> Listers; >> >> This question has been raised by security; >> >> = >> >> Need to identify the correct Remedy cookie that gets presented to the >> browser once authenticated. ...Peak at the cookies presented to a browser >> after a successful authentication and there are a total of 9 cookies. >> Tested >> the JSESSIONID, but need assistance in confirming that this is the proper >> cookie to utilize for Sticky/Persistent sessions against an authenticated >> user. If you have documentation regarding the BMC AUTH cookies, I would be >> most appreciative. >> >> Cookie Names set in my browser by BMC Web Authentication: >> 1. G >> 2. GF >> 3. GKW >> 4. JSESSIONID >> 5. P >> 6. T >> 7. lt >> 8. st >> 9. wARRoot1343142789216 >> >> Thanks, >> Scott E Moore >> Senior Security Consultant >> >> >> >> On behalf of Scott; >> R >> >> >> ___ >> UNSUBSCRIBE or access ARSlist Archives at www.arslist.org >> attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are" >> > > _attend WWRUG12 www.wwrug.com ARSlist: "Where the Answers Are"_ > _attend WWRUG12 www.wwrug.com ARSlist: "Where the Answers Are"_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
Re: Request for expertise on BMC Web login cookies
Thanks Axton; Perhaps the better question is: For sticky sessions what is the preferred (best practice) method: Cookies, HTTP Header, IP Based Solutions? Opinions? R _ From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Axton Sent: Tuesday, July 24, 2012 1:59 PM To: arslist@ARSLIST.ORG Subject: Re: Request for expertise on BMC Web login cookies ** JSESSIONID will track each unique user session. Ideally, your load balancer should create it's own cookie to track the session. This will be the most reliable means of keeping the right user on the same mid-tier server. The other have to do with keywords (GKW), etc. See http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html for details on f5's implementation. Axton Grams On Tue, Jul 24, 2012 at 12:16 PM, Ray Palla wrote: Listers; This question has been raised by security; = Need to identify the correct Remedy cookie that gets presented to the browser once authenticated. ...Peak at the cookies presented to a browser after a successful authentication and there are a total of 9 cookies. Tested the JSESSIONID, but need assistance in confirming that this is the proper cookie to utilize for Sticky/Persistent sessions against an authenticated user. If you have documentation regarding the BMC AUTH cookies, I would be most appreciative. Cookie Names set in my browser by BMC Web Authentication: 1. G 2. GF 3. GKW 4. JSESSIONID 5. P 6. T 7. lt 8. st 9. wARRoot1343142789216 Thanks, Scott E Moore Senior Security Consultant On behalf of Scott; R ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are" _attend WWRUG12 www.wwrug.com ARSlist: "Where the Answers Are"_ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
Re: Request for expertise on BMC Web login cookies
JSESSIONID will track each unique user session. Ideally, your load balancer should create it's own cookie to track the session. This will be the most reliable means of keeping the right user on the same mid-tier server. The other have to do with keywords (GKW), etc. See http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html for details on f5's implementation. Axton Grams On Tue, Jul 24, 2012 at 12:16 PM, Ray Palla wrote: > > Listers; > > This question has been raised by security; > > = > > Need to identify the correct Remedy cookie that gets presented to the > browser once authenticated. ...Peak at the cookies presented to a browser > after a successful authentication and there are a total of 9 cookies. > Tested > the JSESSIONID, but need assistance in confirming that this is the proper > cookie to utilize for Sticky/Persistent sessions against an authenticated > user. If you have documentation regarding the BMC AUTH cookies, I would be > most appreciative. > > Cookie Names set in my browser by BMC Web Authentication: > 1. G > 2. GF > 3. GKW > 4. JSESSIONID > 5. P > 6. T > 7. lt > 8. st > 9. wARRoot1343142789216 > > Thanks, > Scott E Moore > Senior Security Consultant > > > > On behalf of Scott; > R > > > ___ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are" > ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"
Request for expertise on BMC Web login cookies
Listers; This question has been raised by security; = Need to identify the correct Remedy cookie that gets presented to the browser once authenticated. ...Peak at the cookies presented to a browser after a successful authentication and there are a total of 9 cookies. Tested the JSESSIONID, but need assistance in confirming that this is the proper cookie to utilize for Sticky/Persistent sessions against an authenticated user. If you have documentation regarding the BMC AUTH cookies, I would be most appreciative. Cookie Names set in my browser by BMC Web Authentication: 1. G 2. GF 3. GKW 4. JSESSIONID 5. P 6. T 7. lt 8. st 9. wARRoot1343142789216 Thanks, Scott E Moore Senior Security Consultant On behalf of Scott; R ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug12 www.wwrug12.com ARSList: "Where the Answers Are"