ltm rule command ACCESS session
iRule(1) BIG-IP TMSH Manual iRule(1)
ACCESS::session
Access or manipulate session information.
SYNOPSIS
ACCESS::session create (('-flow')? ('-timeout' TIMEOUT)? ('-lifetime'
LIFETIME)?)#
ACCESS::session modify ('-sid' SESSION_ID)? (('-timeout' TIMEOUT)?
(('-lifetime' LIFETIME)? | ('-remaining' REMAINING)?))#
ACCESS::session exists ('-state_allow' | '-state_deny' |
'-state_redirect' | '-state_inprogress')? (-sid)? (SESSION_ID)?
ACCESS::session data get ('-sid' SESSION_ID)? ('-secure' | '-config')?
KEY (-ssid SESSION_ID)?
ACCESS::session data set ('-sid' SESSION_ID)? ('-secure')? KEY ('--')?
(VALUE)?
ACCESS::session remove ('-sid' SESSION_ID)?
ACCESS::session sid
ACCESS::session ACCESS_SESSION_COMMAND (ACCESS_SESSION_INFO)?
DESCRIPTION
The different permutations of the ACCESS::session command allow you to
access or manipulate different portions of session information when
dealing with APM requests.
ACCESS::session data get
* Returns the value of session variable.
ACCESS::session data set [ ]
* Sets the value of session variable to be the given.
ACCESS::session exists
* This commands returns TRUE when the session with provided sid
exists, and returns FALSE otherwise. This command is allowed to be
executed in different events other then ACCESS events. This command
added in version 10.2
ACCESS::session remove
* Removes (deletes) the user session and all associated session
variables. Once this command is called, ACCESS_SESSION_CLOSED
event is triggered.
ACCESS::session create [-flow]
* In versions prior to v11.4, the timeout and lifetime values are
indicated directly following the command.
* In v11.4+, the flags -timeout and -lifetime are supplied, and
control the idle timeout and total session lifetime, respectively.
Supplying them with a value of 0 (zero) disables that timeout
check. The command will return the created SID.
* In v13.0, a new -flow flag is added. When specified, it associates
the created ACCESS session with the connection flow. This allows
other ACCESS::session commands to be used without the -sid
argument. The ACCESS session ID is automatically obtained
from the connection flow.
ACCESS::session sid
* Returns session id associated with current flow if it exists.
* Requires APM module
RETURN VALUE
VALID DURING
EXAMPLES
when ACCESS_SESSION_STARTED {
set user_subnet [ACCESS::session data get "session.user.clientip"]
if { ($user_subnet & 0xffffff00) != "192.168.255.0" } {
log local0.notice "Unauthorized subnet"
ACCESS::session remove
}
}
when ACCESS_POLICY_AGENT_EVENT {
if { [ACCESS::policy agent_id] eq "lastLogon" } {
# our limit in seconds
set 2weeks 1209600
# diff in 100 nanosecond increments between MS time attribute (year 1601) and start of epoch
set offset 11644473600000
set adtime "[ACCESS::session data get session.ad.last.attr.lastLogon]"
# convert adtime to milliseconds
set millisecs [expr {$adtime / 10000}]
# subtract offset
set lastlogintime [expr {$millisecs - $offset}]
# convert to seconds because milliseconds for 'now' were negative (maybe vmware issue)
set secs [expr {$lastlogintime / 1000}]
set now [clock seconds]
# finally calculate the difference
set diff [expr {$now - $secs}]
log local0. "lastLogon: $diff seconds from current time"
if { $diff > $2weeks } {
ACCESS::session data set session.custom.lastLogonWithin2Weeks 0
} else {
ACCESS::session data set session.custom.lastLogonWithin2Weeks 1
}
}
}
One scenario when this command is useful is when the admin tries to
support non-standard browser HTTP application. Admins can verify the
MRHSession cookie using this command and provide a customized response
which tells the client to re-authenticate.
when HTTP_REQUEST {
set apm_cookie [HTTP::cookie value MRHSession]
if { $apm_cookie != "" && ! [ACCESS::session exists $apm_cookie] } {
HTTP::respond 401 WWW-Authenticate "Basic realm=\"www.example.com\""
return
}
}
Insert a session variable into an HTTP header (the username in this
example):
when ACCESS_ACL_ALLOWED {
set user [ACCESS::session data get "session.logon.last.username"]
HTTP::header insert "X-USERNAME" $user
}
HINTS
SEE ALSO
CHANGE LOG
@BIGIP-10.1.0 --First introduced the command.
BIG-IP 2017-01-31 iRule(1)