For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JevgeniR's avatar
JevgeniR
Icon for Nimbostratus rankNimbostratus
Apr 17, 2019

APM session expired HTTP code

Hello community,   I am facing an interesting situation with F5 APM being deployed as a proxy in front of an application. A little background: the application itself is a mix of HTTP/AJAX/JS which...
application delivery
BIG-IP Access Policy Manager (APM)
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Apr 17, 2019

Hi JevgeniR,

APM does not utilize a specific response page for expired sessions. It just starts a new APM session and then redirects the user to /my.policy.

To stop those background JSON request from creating new APM sessions and also to respond those request with a 403 - Access Denied status code, you could attach the iRule below to your Virtual Server.

 

when ACCESS_SESSION_STARTED {
  if { [HTTP::header value "Accept"] starts_with "application/json" } { 
    ACCESS::session remove ACCESS::respond 401 "Access Denied" 
  } 
}

 

Cheers, Kai