For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JevgeniR's avatar
JevgeniR
Icon for Nimbostratus rankNimbostratus
Apr 17, 2019

APM session expired HTTP code

Hello community,

 

I am facing an interesting situation with F5 APM being deployed as a proxy in front of an application. A little background: the application itself is a mix of HTTP/AJAX/JS which is being loaded to the client browser once at the very beginning and afterwards just proceeds with loading JSON/HTML templates on demand. The application is assuming that HTTP200 response from the server indicates that a response contains valid JSON/HTML data.

 

The problem manifests whenever a user session expires - APM module returns appropriate error/notification page, but with HTTP200 response.

 

Can the APM be made to return status code other than HTTP200 (eg. 401, 403, 419, 440) in such scenario? If not - what could be an easy and elegant way to resolve this?

 

application delivery
BIG-IP Access Policy Manager (APM)

1 Reply

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Apr 17, 2019

    Hi JevgeniR,

    APM does not utilize a specific response page for expired sessions. It just starts a new APM session and then redirects the user to /my.policy.

    To stop those background JSON request from creating new APM sessions and also to respond those request with a 403 - Access Denied status code, you could attach the iRule below to your Virtual Server.

     

    when ACCESS_SESSION_STARTED {
  if { [HTTP::header value "Accept"] starts_with "application/json" } { 
    ACCESS::session remove ACCESS::respond 401 "Access Denied" 
  } 
}

     

    Cheers, Kai