APM - dynamically enabling access policy when 401 back from server is detected

We are testing this and it is working well for us so far. Thanks.

when HTTP_REQUEST {
    set var_uri [HTTP::uri]
    set var_apm_cookie [HTTP::cookie value MRHSession]

    if { ( [ACCESS::session exists -state_allow $var_apm_cookie] ) \
             or ( [HTTP::uri] starts_with "/my.policy" ) } {
        set var_apm_required 1
        return

    } elseif { ( [HTTP::uri] starts_with "/start_policy" ) } {
        ACCESS::session remove
        ACCESS::session create -timeout 1800 -lifetime 0
        ACCESS::session data set session.server.landinguri [findstr [HTTP::uri] "/start_policy?url=" 18]
        set var_apm_required 1
        return

    } else {
        ACCESS::disable
        set var_apm_required 0
        return
    }
}

when ACCESS_SESSION_STARTED {
    ACCESS::session data set session.server.landinguri [findstr [HTTP::uri] "/start_policy?url" 18]
}

when HTTP_RESPONSE { 
    if {  ([HTTP::status] eq "401") and ($var_apm_required eq 0) } {
         HTTP::respond 302 Location "/start_policy?url=$var_uri"
    }
}