Use case for limiting the number of sessions

In this use case, the requirement is to limit the number of active back-end sessions. In the deployment, each session login has login in the URL and each session logout has logout in the URL. On successful login, the back-end sets a session id cookie with a unique ten character value.

To achieve this use case, perform the following operations:

  1. Create a map variable that can store each active session. The key of the map is the session id. The expiry time for the variable is set to 600 seconds (10 minutes).</span>

    > add ns variable session_map -type map(text(10),ulong,100) -expires 600
  2. Create the following assignments for the map variable:</span>

    • Create an entry for the session id and set that value to 1 (this value is not used).</span>

       > add ns assignment add_session -variable '$session_map[http.req.cookie.value("sessionid")]' -set 1
    • Deallocate the entry for a session ID, which implicitly decrements the value count for session_map.</span>

       > add ns assignment delete_session -variable '$session_map[http.req.cookie.value("sessionid")]' -clear
  3. Create responder policies for the following:</span>

    • To check if a map entry exists for that session id in the HTTP request. The add_session assignment is run if the map entry does not exist.</span>

       > add responder policy add_session_pol 'http.req.url.contains("example") || $session_map.valueExists(http.req.cookie.value("abc"))' add_session

      Note: The valueExists() function in the add_session_pol policy counts as a reference to the session’s map entry, so each request resets the expiration timeout for its session. If no requests for a session are received after 10 minutes, the session’s entry will be deallocated.

    • To check when the session is logged out. The delete_session assignment is run.</span>

       add responder policy delete_session_pol "http.req.url.contains(\"Logout\")" delete_session
    • To check for login requests and if the number of active sessions exceed 100. If these conditions are satisfied, to limit the number of sessions, the user is redirected to a page that indicates that the server is busy.</span>

       add responder action redirect_too_busy redirect "/too_busy.html"
       add responder policy check_login_pol "http.req.url.contains(\"example\") && $session_map.valueCount > 100" redirect_too_busy
  4. Bind the responder policies globally.</span>

    bind responder global add_session_pol 30 next
    bind responder global delete_session_pol 10
    bind responder global check_login_pol 20
Use case for limiting the number of sessions

In this article