Forum Discussion

6 Replies

  • In the absence of ANY consistent event, there are very few options other than maybe shortening the access policy idle timeout. You could, theoretically, send HTTP responses with a tiny piece of JavaScript that continually "pings" the VIP, and then significantly shorten the idle timeout, but that of course would add a lot of additional traffic.

     

  • Hi,

     

    Look into the Cache and Session Control event in the VPE. There is an option that does exactly what you want. Please let me know if this solves your issue.

     

    Seth

     

  • Looking at same question myself. If you untick the "Persistent" option on the Access Policy cookie, then the MRH_Session cookie becomes a proper session cookie. Then (if your browser deletes session cookie at close of play, mine didn't because I had "Continue where you left off" selected in Chrome), closing the browser deletes the cookie, and stops the session. However if I enable "multi-domain" support, the persistent toggle seems to have no effect, and cookies are always persistent and expiry is set based on "Session Inactivity timeout" (e.g. now + inactivity time out) once the session is established (up to that point the cookies are proper session cookies). Would like to know if the disabling of "Persistent" is deliberate. I assume the session associated with a multi-domain cookie should stay alive for as long as one of the domains is seeing activity within its session inactivity timeout. My best guess is that multi-domain authentication has issues, as I have another support tickets relating to cookie behaviour in multi-domain authentication where it appears to find cookies in parent domains, and confuse the session re-start. Kludgy as it is, I recommend a belts and braces approach, where you use session cookies (not persistent), and catch the Javascript event and visit the corresponding logout page as the window closes, if you really want them to be logged out reliably.
  • Does the application have a logout URI? You can add the URI to APM which can use that to tell it to kill the persistent cookie.

    The following is an example that injects javascript into the page using a stream profile, looks for a browser close in IE and transparently redirects the page to the signout page, telling APM to kill the session.

    This specific example was developed for SharePoint, but could work for anything really, just change the URI around to suit your needs.

    when HTTP_REQUEST {
    
            Looks for SharePoint hangup, kills APM session.
            if { [string tolower [HTTP::uri]] contains "signout.aspx"} {
                ACCESS::session remove
            }
            STREAM::disable
            HTTP::header remove "Accept-Encoding"
        } 
        when HTTP_RESPONSE {
             Check if response type is text
            if { [HTTP::header value Content-Type] contains "text" } {
    
                 Define the stream replacement
                 Change the 15 in the following line to the version of sharepoint being used 13 = 2007 / 14 = 2010 / 15 = 2013
                STREAM::expression {@@ @}
                STREAM::enable
            }
        }
    
  • I managed to get this (almost) working with the iRule bellow:

    when ACCESS_ACL_ALLOWED {
        switch -glob [HTTP::header value "User-Agent"] {
            "Microsoft Office*"  - 
            "MSFrontPage*" -
            "Microsoft-WebDAV*" {
                return
            }
            default {
                set ::sess_verify [ACCESS::session data get session.custom.verify]
                log local0. " ::sess_verify variable set to [ACCESS::session data get session.custom.verify] "
                if { $::sess_verify == 1} {
                    if { [ACCESS::session exists -state_allow]} {
                        if { [HTTP::cookie exists "SessionCheck"]} {
                            return
                        } else {
                            ACCESS::session remove
                            HTTP::respond 302 Location "/vdesk/hangup.php3"
                            return
                        }
                    }
                }
            }
        }
    }
    
    when HTTP_RESPONSE {
        HTTP::cookie insert name SessionCheck value [ACCESS::session data get session.user.sessionid] path / domain era.europa.eu
        HTTP::cookie secure SessionCheck enable
        ACCESS::session data set session.custom.verify 1
    }
    

    But we still have an issue as a user needs to reopen the browser so that the APM clear its session. So office documents remains accessible in the mean time, which is a security issue.

    Do you guys have a working example of using a javascript? the example above seems to me not complete (I'm not a javascript expert)

  • This seems to be working

    when ACCESS_ACL_ALLOWED {
    
        if {[string tolower [HTTP::uri]] eq "/citrix//authentication/logoff"} {
    
            table add "ctxloggedoutsessions_[ACCESS::session sid]" 1 28800 28800
        }
    }
    
    when HTTP_REQUEST {
    
        set sessionstatus [table lookup "ctxloggedoutsessions_[ACCESS::session sid]"]
    
        if { $sessionstatus == 1 } {
    
    
            table delete "ctxloggedoutsessions_[ACCESS::session sid]"
    
            HTTP::respond 302 Location "https://www.yourcitrixapm.com/my.logout.php3"
    
            unset sessionstatus
            event disable                   
        }
    }