Forum Discussion
NimbostratusF5 APM Session Cookies Doesn't Clear after User Inactivity
F5 APM Session Cookie MRHSession doesn't clear from browser if a user is inactive for more than 49 minutes.
We are using a custom iRule to invoke logout uri which will clear APM session cookies (F5_ST, MRHSession) from browser when F5 intercepts the URI that is configured in APM profiles.
This scenario is working fine for the first 48 minutes, if a user tries to access any protected uri while being inactive more than 15 mins and have a MRHSession cookie, then the irule verifies if the user session is expired and calls the logout, which is clearing the cookies on the browser.
This scenario is working for first 48 minutes but from 49th minute, APM is setting a new MRHSession Cookie and in APM console i see a new N/A user to it.
I don't understand this odd behavior on why F5 is validating MRHSession Cookie for the first 48 minutes and why it doesn't do later, does F5 APM have any settings where it cannot create a new session after 49 minutes.
Dave_WEmployee
What is the Inactivity Timeout in the Access Policy set to? Is there a reason you are not using this instead of the iRule?
stanjavoorWe have the setting enabled which is default 900 seconds but the iRule which we are using is to make a call to IDP to clear out the session on their end as well.
- Dave_W
Can you post the iRule you are using?
- stanjavoor
Thank you for looking into this, here you go Dave.
when HTTP_REQUEST { set apm_cookie [HTTP::cookie value MRHSession] if { $apm_cookie != "" && ! [ACCESS::session exists $apm_cookie] } { ACCESS::session modify -sid $apm_cookie -timeout 1 if { [ACCESS::session exists $apm_cookie] } { ACCESS::session remove -sid $apm_cookie } set close_url "test.idp.abc.com/login/signout" set uri "/wps/unauth/home" HTTP::respond 302 Location "https://$close_url?fromURI=https://[HTTP::host]$uri" "Cache-Control" "no-cache, must-revalidate" "Set-Cookie" "MRHSession=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\"" "Set-Cookie" "LastMRH_Session=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\"" "Set-Cookie" "F5_ST=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\"" } } - stanjavoor
In our APM configuration, /login/signout is configured for logout URI. When APM intercepts that call, it clears out the APM cookies form the configuration.
Is there any way I can issue that in above iRule such that APM intercepts and clears session locally and the 302 will redirect the user back to our landing page for login.
- Dave_W
Hello, I think you are looking for something like this:
when ACCESS_ACL_ALLOWED {
if { [HTTP::uri] equals "/?cmd=logout" } {
ACCESS::session remove
HTTP::redirect "https://[HTTP::host]"
}
}
https://devcentral.f5.com/s/question/0D51T00006i7P3M/apm-logout-irule
- stanjavoor
No, I'm looking to invoke [HTTP::host]/login/signout so that APM can clear cookies.
set close_url "test.idp.abc.com/login/signout" set uri "/wps/unauth/home" HTTP::respond 302 Location "https://$close_url?fromURI=https://[HTTP::host]$uri" "Cache-Control" "no-cache, must-revalidate" "Set-Cookie" "MRHSession=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\"" "Set-Cookie" "LastMRH_Session=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\"" "Set-Cookie" "F5_ST=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\"" HTTP::respond 301 Location "https://[HTTP::host]/login/singout"Can I use multiple HTTP::respond in an iRule