Forum Discussion

Stevenson_88156's avatar
Icon for Nimbostratus rankNimbostratus
Mar 02, 2011

F5 APM ACCESS::session remove




I am not sure if this is the right forum to post this question but since I cannot find an APM group within dev central, I will try to post it here.



I am trying to find how to allow a user to "logout" and to clear the user session. Upon reading about the "ACCESS::session remove" command from iRULE, I thought I got it.



However, when I invoke this command in my iRule, the user was able to log out but some how the session still remains (this can be seen within the APM web console). On top of that, even though the user is redirected to the login page, when a user tries to log back in, some how APM ends up using the same session (since the user has not close the browser) and since this session is marked as terminated, APM does not allow the user to logon and user get routed back to the same login page and could never login again unless they close their browser.



Is this a known defect with F5 APM 10.2.1? Is there any other way to somehow to allow the user to "logout" and be given a new session without closing their browser? Thanks.


7 Replies

  • You can logout the user by sending redirect to https://[virtual]/vdesk/hangup.php3



    Something like:


    HTTP::redirect https://[virtual]/vdesk/hangup.php3
  • While this works great for our Exchange 2010 / APM deployment, I just noticed that the browser must hold on to a cookie.



    Even though user A clicks the logoff/signout in the OWA Session, they are successfully redirected to the APM Logoff page, and the APM session is killed. The issue we have is that the APM Logoff page has a hyperlink to start a new session. If clicked, they are redirected to the main APM Logon page. If user B comes along and logs on, they are logged into OWA as user A. APM shows user B as logged on and the IIS Logs shows MRHSession with the new APM session. The issue though is the "OutlookSession=" value in the cookie has the same value as user A.



    The only way I know of getting around this right now is to inform our user population to close the browsers after logout. This seems to remove the cached cookie containing the old OutlookSession value.



    Any thoughts? Can we use an iRule to force a delete of the browser side cookie, or better yet to remove the OutlookSession= value?
  • After further inspection of the original Logoff.aspx HTML code of either Exchange 2007 or 2010 CAS, it looks like there are additional functions that need to run to clear the credentials cache. It looks like we still need the logoff.aspx to load.



    Has anyone been successful in using APM to properly logoff OWA sessions, and not requiring browsers to be closed?


  • dubdub's avatar
    Icon for Nimbostratus rankNimbostratus
    Have you tried specifying the full logout URI in the "Logout URI Include" list for the APM policy? We use that and it works for us.





  • That is beyond whacky. We actually created a case with support on Monday and they are still working on the issue.



    I did try to add "/owa/auth/logoff.aspx" to the Logout URI section, but that does not work in the slightest.



    Also, the APM session does close by using the code above in an iRule, the issue is that the browser/Exchange holds on to the OutlookSession cookie. You should try that in your environment. Follow the normal logoff procedure for OWA, but sign back in with a different account without having closed your browser. That should reproduce our issue.


  • I actually added the Logout URI incorrectly. Support had advised me to add it as /owa/auth/logoff.aspx*, when it just needed to be added without the star. It now properly closes the APM session when logoff/signout is clicked in either OWA 2007 or 2010.



    Still working on the OWA timeout issue. We have it mostly working, but we are getting very strange errors in LTM Logs when the timeout iRule processes: "http_process_state_header_xfer - Invalid action EV_SINK_HEADER during ST_HTTP_XFER_HEADERS"



    Have a more detailed post here:
  • dubdub's avatar
    Icon for Nimbostratus rankNimbostratus
    Glad to hear it was fixed, because I was stumped why the logout URI wouldn't work :)



    We're in the same boat on the OWA timeout issue. No resolutions on that yet that I know of.