For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Aviv's avatar
Aviv
Icon for Cirrus rankCirrus
Nov 07, 2015

APM close session when smart card removed

Hi ! I have published a web application with smartcard authentication by apm. how do i force closing a session on smart card remove?

 

Thanks,

 

Aviv Hassidim

 

2 Replies

  • Henrik_Gyllkran's avatar
    Henrik_Gyllkran
    Icon for Nimbostratus rankNimbostratus
    Nov 07, 2015

    In normal circumstances the APM doesn't work like that. Once you established a session you're allowed to send traffic until the session ends. What you might be able to do is to create a Per-Request Policy, so that the Access Policy will be verified every time the client sends a rquest. I haven't played around too much with those but I know they don't have all the features of the normal Access Policies, but they might be able to do what you need.

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Nov 30, 2015

    i don't believe APM or any software can do this. the problem is how a smartcard is integrated in the OS. it is just a place to store a certificate, probably with a passcode to protect it. it is accessed when a certificate is requested, but that is it. things like removing a smartcard triggers nothing, certainly not APM.

     

    per access request might help, but it might also just assume the card is still there and use a cached version. i have seen that happen with smart cards and it might differ from OS to OS.