Forum Discussion
APM Forms SSO Session Logout Error Page
Good day!
I am trying to get my policy to recognize when the page /Login/LogOff is being accessed. I'm using Forms Based SSO to front-end an application which is working successfully, but when the user selects the "Log Off" button on the application (not the BIG-IP/APM), an error page is being generated.
I am using the iRule:
when ACCESS_ACL_ALLOWED {
if { [HTTP::uri] equals "/Login/LogOff" } {
ACCESS::session remove
ACCESS::respond 302 Location "http://[HTTP::host]" "Set-Cookie" "MRHSession=0; expires=Tuesday, 29-Mar-1970 00:15:00 GMT" "Connection" "Close"
}
}
Error generated:
Access policy evaluation is already in progress for your current session.
You may see this message, if you are using a different browser tab than the one where you started the access policy initially. Please continue to finish your access policy in the previous browser tab, and close this current window immediately.
If you have reached to this message due to some other error, click for creating a new session.
I've also attempted SOL12056, but with limited success. It does infact terminate the session, but does not successfully redirect the user to the login page immediately. There's a delay and the lowest is 1 second.
With the iRule, I've been able to redirect and I've been able to terminate the APM session. But I am unable to do both at the same time.
I've tried a myriad of other iRules and combinations and orders with no additional success.
Thoughts?
Thanks!
If you change the rule to have the redirect logic in the response it will allow the backend application to receive the request and close the session there as well. This will ensure both the app and APM session are closed properly.
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { set logout 0 if {[HTTP::uri]] equals "/Login/logoff"]}{set logout 1} } when HTTP_RESPONSE { if {$logout}{ log local0. "logout-request-URI: local URI [HTTP::host][HTTP::uri] redirect to /vdesk/hangup.php3" HTTP::header replace "Location" "/vdesk/hangup.php3" } }
- Yann_Desmarest_Nacreous
Hi,
You should use the following instead or configure the logout setting in the access profile directly :
when ACCESS_ACL_ALLOWED { if { [HTTP::uri] equals "/Login/LogOff" } { ACCESS::respond 302 Location "http://[HTTP::host]/vdesk/hangup.php3" } }
- Yann, thank you very much for the reply. I did try the suggested iRule as well as the logout settings in the profile. Both together and separate without success. I am still presented with the error mentioned above. I am working with the application owners as I believe when the "log off" button is selected, rather than a final landing page, I believe the application is terminating the session and using a 302 redirect to return the user to the login page. Which is exactly what I want the APM to do as well. So there may be a conflict with the application response and the APM's response to the end user.
Hi,
You should use the following instead or configure the logout setting in the access profile directly :
when ACCESS_ACL_ALLOWED { if { [HTTP::uri] equals "/Login/LogOff" } { ACCESS::respond 302 Location "http://[HTTP::host]/vdesk/hangup.php3" } }
- Yann, thank you very much for the reply. I did try the suggested iRule as well as the logout settings in the profile. Both together and separate without success. I am still presented with the error mentioned above. I am working with the application owners as I believe when the "log off" button is selected, rather than a final landing page, I believe the application is terminating the session and using a 302 redirect to return the user to the login page. Which is exactly what I want the APM to do as well. So there may be a conflict with the application response and the APM's response to the end user.
This error message is displayed when you already have a pending session (so MRHSession cookies in the request) and you go to an invalid landing uri.
Can you trace what happens using fiddler or httpwatch ?
- youssef1Cumulonimbus
Hi,
can you please test this irule:
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { if { [HTTP::uri]] equals "/Login/logoff" ] } { log local0. "logout-request-URI: local URI [HTTP::host][HTTP::uri] redirect to /vdesk/hangup.php3" HTTP::redirect "/vdesk/hangup.php3" } }
- Brad_Parker_139Nacreous
If you change the rule to have the redirect logic in the response it will allow the backend application to receive the request and close the session there as well. This will ensure both the app and APM session are closed properly.
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { set logout 0 if {[HTTP::uri]] equals "/Login/logoff"]}{set logout 1} } when HTTP_RESPONSE { if {$logout}{ log local0. "logout-request-URI: local URI [HTTP::host][HTTP::uri] redirect to /vdesk/hangup.php3" HTTP::header replace "Location" "/vdesk/hangup.php3" } }
- Ah. Right on, Brad. By using the HTTP_RESPONSE to replace the header, that also means the application on the back-end receives the original log off request. Without that, the APM session is torn down, but the application session is not. I've tested with this suggested iRule and I see both sessions torn down properly. Many thanks, Brad!
- Brad_ParkerCirrus
If you change the rule to have the redirect logic in the response it will allow the backend application to receive the request and close the session there as well. This will ensure both the app and APM session are closed properly.
when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { set logout 0 if {[HTTP::uri]] equals "/Login/logoff"]}{set logout 1} } when HTTP_RESPONSE { if {$logout}{ log local0. "logout-request-URI: local URI [HTTP::host][HTTP::uri] redirect to /vdesk/hangup.php3" HTTP::header replace "Location" "/vdesk/hangup.php3" } }
- Ah. Right on, Brad. By using the HTTP_RESPONSE to replace the header, that also means the application on the back-end receives the original log off request. Without that, the APM session is torn down, but the application session is not. I've tested with this suggested iRule and I see both sessions torn down properly. Many thanks, Brad!
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com