Forum Discussion
Terrence
Nimbostratus
NimbostratusEdge Gateway-OWA 2010 sp2 session timeout and double login page
So I wrote this long post of two issues we are having with the exchange/apm implementation, however it was denied. So heres the coles notes version:
1) double login prompt
sso matches on /owa/&reason=0
This page redirects to another login page using javascript
sso has already happened at this point so I just change the uri to '/owa/'
when HTTP_REQUEST {
if {([HTTP::uri] == "/") } {
HTTP::uri /owa
}
set req_uri [HTTP::uri]
if { $req_uri starts_with "/owa/auth/logon.aspx?replaceCurrent=1" } {
HTTP::uri /owa
}
unset req_uri
}
2) The second issue is that the users session never times out. The reason is highlighted here http://support.microsoft.com/kb/2478286. When user times out server returns a response code of 440 Login Timeout. I watch for this response code and remove the session and redirect back to owa.
when HTTP_RESPONSE {
if { [HTTP::status] == 440 } {
set apm_cookie [HTTP::cookie value MRHSession]
if { $apm_cookie != "" && [ACCESS::session exists $apm_cookie] } {
ACCESS::session remove
HTTP::redirect "http://mymail.humber.ca/"
}
}
}
The second rule hasn't been tested thoroughly, but the implementation period here will be long, so I will have a long time to test.
Now lets hope I can submit this timeSo I wrote this long post of two issues we are having with the exchange/apm implementation, however it was denied. So heres the coles notes version:
1) double login prompt
sso matches on /owa/&reason=0
This page redirects to another login page using javascript
sso has already happened at this point so I just change the uri to '/owa/'
when HTTP_REQUEST {
if {([HTTP::uri] == "/") } {
HTTP::uri /owa
}
set req_uri [HTTP::uri]
if { $req_uri starts_with "/owa/auth/logon.aspx?replaceCurrent=1" } {
HTTP::uri /owa
}
unset req_uri
}
2) The second issue is that the users session never times out. The reason is highlighted here http://support.microsoft.com/kb/2478286. When user times out server returns a response code of 440 Login Timeout. I watch for this response code and remove the session and redirect back to owa.
when HTTP_RESPONSE {
if { [HTTP::status] == 440 } {
set apm_cookie [HTTP::cookie value MRHSession]
if { $apm_cookie != "" && [ACCESS::session exists $apm_cookie] } {
ACCESS::session remove
HTTP::redirect "http://mymail.humber.ca/"
}
}
}
The second rule hasn't been tested thoroughly, but the implementation period here will be long, so I will have a long time to test.
Third attempt at posting. This time I copied and pasted.
4 Replies
TerrencePoint2
This rule crashes websso
Attempt2
when HTTP_RESPONSE {
if { [HTTP::status] == 440 } {
log -noname local0.info "440 Login Timeout Response Received"
HTTP::redirect "https://owa.example.com/vdesk/hangup.php3"
}
}- TerrencePoint2
Thus far the rules have proven wrong. The last one definately removes the session, however the web client never realizes it has timed out, as the requests were from json or xmlrpc of some sort.
I stole this one from https://devcentral.f5.com/Tutorials/TechTips/tabid/63/articleType/ArticleView/articleId/1086502/APM-Session-Invalidation-Using-ASM.aspx
Removing the asm piece and adding the HTTP_RESPONSE piece
when ACCESS_ACL_ALLOWED {
set mrhsession [HTTP::cookie value "LastMRH_Session"]
if { [table lookup $mrhsession] == "EXCHANGE_LOGOUT" } {
set user_logon [ACCESS::session data get "session.logon.last.username"]
set sessionid [ACCESS::session data get "session.user.sessionid"]
log local0.warn "ASM VIOLATION - Session: $sessionid, User: $user_logon"
ACCESS::session remove
table delete $mrhsession
}
}
when HTTP_RESPONSE {
if { [HTTP::status] == 440 } {
set mrhsession [HTTP::cookie value "LastMRH_Session"]
if { $mrhsession != ""} {
table set $mrhsession "EXCHANGE_LOGOUT"
log local0.warn "OWA Exchange Initiated Timeout - MRHSession: $mrhsession"
}
}
} - TerrenceAnd the final irule:
My Final version of the irule, which I hope doesnt put to much strain on the edge gateway looks as follows:
when ACCESS_ACL_ALLOWED {
set mrhsession [HTTP::cookie value "LastMRH_Session"]
if { [table lookup $mrhsession] == "EXCHANGE_LOGOUT" } {
set user_logon [ACCESS::session data get "session.logon.last.username"]
set sessionid [ACCESS::session data get "session.user.sessionid"]
log local0.warn "OWA Exchange Initiated timeout - Session: $sessionid, User: $user_logon"
ACCESS::session remove
table delete $mrhsession
}
}
when HTTP_REQUEST {
set mrhsession [HTTP::cookie value "LastMRH_Session"]
}
when HTTP_RESPONSE {
if { [HTTP::status] == 440 } {
log local0.warn "OWA Exchange Initiated Timeout"
if { $mrhsession != ""} {
table set $mrhsession "EXCHANGE_LOGOUT"
log local0.warn "OWA Exchange Initiated Timeout - MRHSession: $mrhsession"
}
}
unset mrhsession
} 
KunalHi All,
I have similar issue. The issue is for IPv6 users, we see that users are getting timed out.
Is there a way to see the value of the table "EXCHANGE_LOGOUT"?
Thanks
Kunal
