Forum Discussion

steven_normole's avatar
Mar 08, 2024

An odd request

Received a request from a customer that I just cannot see how the F5 could ever accomplish this task.

Problem:

There are kiosk placed in various locations which allow users to access sites to check their information.  Issue is that User-A logs into a website using their certificate then User-A removes their cert card and leaves the browser up.  Then User-B goes up to the kiosk inserts their cert card, but since User-A already logged in and did not logout User-B is able to get to access sites under User-A.

The customer is wanting the F5 to magically know that the cert card has been removed and to end the ssl session. I am telling them that until F5 gets some type of traffic back the ssl session will remain valid until the times outs are reached.

I could tell the F5 in the client ssl profile to change the frequency under client authentication to always, but is still not going to solve the problem.  Strict Resume will not work since it is based on unclean shutdown.  Lowering the Cache Timeout will not solve the problem.  Setting the Alert Timeout still will not work. Setting the Renegotiate Period might help, but how many seconds, even then if someone comes immediately behind the last User then it ends.

I think what is required that an application is written and running as service.  When the application receive notification that the cert card has been removed from the card reader that it automatically shuts down the browser.

 

Any ideas?

  • ideally, the application should sent the logout request when it detects card out.

    computing is logic not magic🙂

  • Yeah no easy / full proof solution on the BIG-IP side. An iRule doing some idle timer and enforcing new SSL session can make the window smaller, but there remains a window.