Forum Discussion

6 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jan 30, 2014

    In the absence of ANY consistent event, there are very few options other than maybe shortening the access policy idle timeout. You could, theoretically, send HTTP responses with a tiny piece of JavaScript that continually "pings" the VIP, and then significantly shorten the idle timeout, but that of course would add a lot of additional traffic.

     

  • Seth_Cooper's avatar
    Seth_Cooper
    Icon for Employee rankEmployee
    Jan 30, 2014

    Hi,

     

    Look into the Cache and Session Control event in the VPE. There is an option that does exactly what you want. Please let me know if this solves your issue.

     

    Seth

     

  • Simon_Waters_13's avatar
    Simon_Waters_13
    Icon for Cirrostratus rankCirrostratus
    Apr 14, 2014
    Looking at same question myself. If you untick the "Persistent" option on the Access Policy cookie, then the MRH_Session cookie becomes a proper session cookie. Then (if your browser deletes session cookie at close of play, mine didn't because I had "Continue where you left off" selected in Chrome), closing the browser deletes the cookie, and stops the session. However if I enable "multi-domain" support, the persistent toggle seems to have no effect, and cookies are always persistent and expiry is set based on "Session Inactivity timeout" (e.g. now + inactivity time out) once the session is established (up to that point the cookies are proper session cookies). Would like to know if the disabling of "Persistent" is deliberate. I assume the session associated with a multi-domain cookie should stay alive for as long as one of the domains is seeing activity within its session inactivity timeout. My best guess is that multi-domain authentication has issues, as I have another support tickets relating to cookie behaviour in multi-domain authentication where it appears to find cookies in parent domains, and confuse the session re-start. Kludgy as it is, I recommend a belts and braces approach, where you use session cookies (not persistent), and catch the Javascript event and visit the corresponding logout page as the window closes, if you really want them to be logged out reliably.
  • MichaelatF5's avatar
    MichaelatF5
    Icon for Employee rankEmployee
    Jul 29, 2014

    Does the application have a logout URI? You can add the URI to APM which can use that to tell it to kill the persistent cookie.

    The following is an example that injects javascript into the page using a stream profile, looks for a browser close in IE and transparently redirects the page to the signout page, telling APM to kill the session.

    This specific example was developed for SharePoint, but could work for anything really, just change the URI around to suit your needs. 

    when HTTP_REQUEST {

        Looks for SharePoint hangup, kills APM session.
        if { [string tolower [HTTP::uri]] contains "signout.aspx"} {
            ACCESS::session remove
        }
        STREAM::disable
        HTTP::header remove "Accept-Encoding"
    } 
    when HTTP_RESPONSE {
         Check if response type is text
        if { [HTTP::header value Content-Type] contains "text" } {

             Define the stream replacement
             Change the 15 in the following line to the version of sharepoint being used 13 = 2007 / 14 = 2010 / 15 = 2013
            STREAM::expression {@@ @}
            STREAM::enable
        }
    }
  • Abdessamad1's avatar
    Abdessamad1
    Icon for Cirrostratus rankCirrostratus
    Nov 27, 2014

    I managed to get this (almost) working with the iRule bellow:

    when ACCESS_ACL_ALLOWED {
    switch -glob [HTTP::header value "User-Agent"] {
        "Microsoft Office*"  - 
        "MSFrontPage*" -
        "Microsoft-WebDAV*" {
            return
        }
        default {
            set ::sess_verify [ACCESS::session data get session.custom.verify]
            log local0. " ::sess_verify variable set to [ACCESS::session data get session.custom.verify] "
            if { $::sess_verify == 1} {
                if { [ACCESS::session exists -state_allow]} {
                    if { [HTTP::cookie exists "SessionCheck"]} {
                        return
                    } else {
                        ACCESS::session remove
                        HTTP::respond 302 Location "/vdesk/hangup.php3"
                        return
                    }
                }
            }
        }
    }
}

when HTTP_RESPONSE {
    HTTP::cookie insert name SessionCheck value [ACCESS::session data get session.user.sessionid] path / domain era.europa.eu
    HTTP::cookie secure SessionCheck enable
    ACCESS::session data set session.custom.verify 1
}

    But we still have an issue as a user needs to reopen the browser so that the APM clear its session. So office documents remains accessible in the mean time, which is a security issue.

    Do you guys have a working example of using a javascript? the example above seems to me not complete (I'm not a javascript expert)

  • ipman_1988_5418's avatar
    ipman_1988_5418
    Icon for Nimbostratus rankNimbostratus
    Apr 07, 2015

    This seems to be working

    when ACCESS_ACL_ALLOWED {

    if {[string tolower [HTTP::uri]] eq "/citrix//authentication/logoff"} {

        table add "ctxloggedoutsessions_[ACCESS::session sid]" 1 28800 28800
    }
}

when HTTP_REQUEST {

    set sessionstatus [table lookup "ctxloggedoutsessions_[ACCESS::session sid]"]

    if { $sessionstatus == 1 } {


        table delete "ctxloggedoutsessions_[ACCESS::session sid]"

        HTTP::respond 302 Location "https://www.yourcitrixapm.com/my.logout.php3"

        unset sessionstatus
        event disable                   
    }
}