Applies To:

Show Versions Show Versions

sol6917: Overview of BIG-IP persistence cookie encoding
OverviewOverview

Original Publication Date: 01/25/2007
Updated Date: 11/07/2013

When you configure a cookie persistence profile to use the HTTP Cookie Insert or HTTP Cookie Rewrite method, the BIG-IP system inserts a cookie into the HTTP response, which well-behaved clients include in subsequent HTTP requests for the host name until the cookie expires. The cookie, by default, is named BIGipServer<pool_name>. The cookie is set to expire based on the time-out configured in the persistence profile. The cookie value contains the encoded IP address and port of the destination server.

IPv4 pool members

IPv4 pool members in non-default route domains

IPv6 pool members

IPv6 pool members in non-default route domains

Encrypting Cookies

IPv4 pool members

Address encoding

The BIG-IP system uses the following address encoding algorithm:

  1. Convert each octet value to the equivalent 1-byte hexadecimal value.
  2. Reverse the order of the hexadecimal bytes and concatenate to make one 4-byte hexadecimal value.
  3. Convert the resulting 4-byte hexadecimal value to its decimal equivalent.

For example, if the IP address of the destination server is 10.1.1.100, the BIG-IP LTM system encodes the address as follows:

10.1.1.100 = 0x0A . 0x01 . 0x01 . 0x64

Reverse byte order, concatenated = 0x6401010A

0x6401010A = 1677787402

The address encoding algorithm is performed algebraically, as follows, for address (a.b.c.d):

a + b*256 + c*(256^2) + d*(256^3)

For example, if the IP address of the destination server is 10.1.1.100, the encoded address is derived as follows:

a=10; b=1; c=1; d=100

10 + 1*256 + 1*(256^2) + 100*(256^3) = 1677787402

Port encoding

The BIG-IP system uses the following port encoding algorithm:

  1. Convert the decimal port value to the equivalent 2-byte hexadecimal value.
  2. Reverse the order of the 2 hexadecimal bytes.
  3. Convert the resulting 2-byte hexadecimal value to its decimal equivalent.

For example, if the port of the destination server is 8080, the BIG-IP LTM system encodes the port as follows:

8080 = 0x1F90

Reverse byte order = 0x901F

0x901F = 36895

Note: If the port value is less than 256, the first byte in step 1 is 0x00. For example, if the port value is 80, the BIG-IP LTM system encodes the port as follows: 80 = 0x0050
Reverse byte order = 0x5000
0x5000 = 20480

Persistence cookie value

The BIG-IP system combines the two encoded values and inserts them into the persistence cookie. For example, using the IP address and port 10.1.1.100:8080 as encoded above, the persistence value that the BIG-IP LTM system encodes in the cookie is as follows: 

1677787402.36895.0000

Note: The field following the port encoding is reserved for future use and always contains four zeros as placeholders.

Decoding persistence cookie values

You can decode the cookie value by reversing the encoding algorithms previously detailed.

For example, using the IP address and port 10.1.1.100:8080 as previously encoded, the persistence value that the BIG-IP LTM system encodes in the cookie is as follows: 

1677787402.36895.0000

The first field in the cookie references the IP address of the destination server.

  1. Convert the decimal value 1677787402 to its 4-byte hexadecimal equivalent:

    0x6401010A

  2. Split into four hexadecimal bytes and reverse the byte order:

    0x0A 0x01 0x01 0x64

  3. Convert each 1-byte hexadecimal value to its equivalent decimal value, one per octet:

    10.1.1.100

The second field in the cookie references the port of the destination server.

  1. Convert the decimal value 36895 to the equivalent 2-byte hexadecimal value:

    0x901F

  2. Reverse the order of the two hexadecimal bytes:

    0x1F90

  3. Convert the resulting 2-byte hexadecimal value to its decimal equivalent:

    8080

Note: You can use an iRule to intercept and decode persistence cookies using the algorithms above. One example is the Persistence Cookie Logger in the DevCentral codeshare. A DevCentral login is required to access this content.

IPv4 pool members in non-default route domains

Note: The route domains feature was introduced in BIG-IP version 10.0.0. For more information about route domains, refer to the BIG-IP Local Traffic Manager: Implementations guide.

If a pool member resides in a non-default route domain (for example, route domain ID 5), a different encoding is used to calculate the value of the persistence cookie.

The persistence cookie for a host in a non-default route domain is the concatenation of the following:

  • rd
  • <The route domain ID>
  • o
  • 00000000000000000000ffff
  • <The hexadecimal representation of the IP address of the pool member>
  • o
  • <The port number of the pool member>

For example, if a connection was load balanced to the 192.0.2.1%5:80 pool member, the BIG-IP system would insert the following cookie:

BIGipServer<pool_name>=rd5o00000000000000000000ffffc0000201o80

IPv6 pool members

If the pool member is an IPv6 host, the persistence cookie is the concatenation of:

  • vi
  • <The full hexadecimal IPv6 address>
  • .
  • <The port number calculated in the same way as for IPv4 pool members>

For example, if a connection was load balanced to the [2001:0112::0030]:80 pool member, the BIG-IP system would insert the following cookie:

BIGipServer<pool_name>=vi20010112000000000000000000000030.20480

Note: For information about an issue where the port value for an IPv6 pool member is incorrectly translated to a random number, refer to SOL13816: The BIG-IP system may generate persistence cookies with an incorrectly-formatted value.

IPv6 pool members in non-default route domains

Note: IPv6 route domains feature support was introduced in BIG-IP 11.1.0. For more information, refer to SOL13388: Change in Behavior: Route domains support for IPv6.

If a pool member resides in a non-default route domain (for example, route domain ID 3), a different encoding is used to calculate the persistence cookie value.

The persistence cookie for a host in a non-default route domain is the concatenation of the following:

  • rd
  • <The route domain ID>
  • o
  • <The full hexadecimal IPv6 address>
  • o
  • <The port number of the pool member>

For example, if a connection was load balanced to the 2001:0112::0030%3:80 pool member, the BIG-IP system would insert the following cookie:

BIGipServer<pool_name>=rd3o20010112000000000000000000000030o80

Note: For information about an issue where the port value for an IPv6 pool member is incorrectly translated to a random number, refer to SOL13816: The BIG-IP system may generate persistence cookies with an incorrectly-formatted value.

Encrypting Cookies

In some environments, it may be unacceptable to disclose the IP and Port numbers of origin web servers (OWS) behind the BIG-IP system in an HTTP cookie. If your security policy requires this information to be further obfuscated, refer to the processes described in SOL14784: Configuring BIG-IP cookie encryption (10.x through 11.x) or SOL7784: Configuring BIG-IP cookie encryption (9.x).

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)