Forum Discussion

JevgeniR's avatar
JevgeniR
Icon for Nimbostratus rankNimbostratus
Apr 17, 2019

APM session expired HTTP code

Hello community,

 

I am facing an interesting situation with F5 APM being deployed as a proxy in front of an application. A little background: the application itself is a mix of HTTP/AJAX/JS which is being loaded to the client browser once at the very beginning and afterwards just proceeds with loading JSON/HTML templates on demand. The application is assuming that HTTP200 response from the server indicates that a response contains valid JSON/HTML data.

 

The problem manifests whenever a user session expires - APM module returns appropriate error/notification page, but with HTTP200 response.

 

Can the APM be made to return status code other than HTTP200 (eg. 401, 403, 419, 440) in such scenario? If not - what could be an easy and elegant way to resolve this?

 

application delivery
BIG-IP Access Policy Manager (APM)

1 Reply

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Apr 17, 2019

    Hi JevgeniR,

    APM does not utilize a specific response page for expired sessions. It just starts a new APM session and then redirects the user to /my.policy.

    To stop those background JSON request from creating new APM sessions and also to respond those request with a 403 - Access Denied status code, you could attach the iRule below to your Virtual Server.

     

    when ACCESS_SESSION_STARTED {
  if { [HTTP::header value "Accept"] starts_with "application/json" } { 
    ACCESS::session remove ACCESS::respond 401 "Access Denied" 
  } 
}

     

    Cheers, Kai