Forum Discussion

Nimbostratus

May 09, 2014

f5 Access Policy Manager AJAX vs Non-Ajax Request Handling with Authentication

I'm implementing a Single Page Application (Javascript/AJAX Based) leveraging the f5 as the Identity Provider and Service Provider for Single-Sign-On. The Web app sits behind the f5 in Apache, and th...

application delivery

ASM Advanced WAF

BIG-IP Access Policy Manager (APM)

Nimbostratus

May 11, 2014

..the user's session has expired, to respond with a 401 http response when the request has the header X-Requested-With: XMLHttpRequest.

when ACCESS_SESSION_STARTED { 
  if { [HTTP::header "X-Requested-With" ] equals "XMLHttpRequest" && [HTTP::header "Referer" ] contains "my.logout.php3" } {     
     ACCESS::respond 401 
  }   
}

ddubya_152376
Nimbostratus
May 11, 2014
Well, the issue here is that the browser will never cause that Referer header to be sent because the browser application is a Javascript Single Page Application, all HTTP Requests that go to the backend are AJAX, so the client application never does the 302 redirect to the logout page or anywhere else, the javascript eats the 302 redirect transparently. Let me try and attach a screen shot of what I'm experiencing and what I would like instead.