For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

stanjavoor's avatar
stanjavoor
Icon for Nimbostratus rankNimbostratus
Oct 17, 2019

F5 APM Session Cookies Doesn't Clear after User Inactivity

F5 APM Session Cookie MRHSession doesn't clear from browser if a user is inactive for more than 49 minutes. We are using a custom iRule to invoke logout uri which will clear APM session cookies (F5_...
BIG-IP Access Policy Manager (APM)
devops
iRules
LTM
stanjavoor's avatar
stanjavoor
Icon for Nimbostratus rankNimbostratus
Oct 24, 2019

Thank you for looking into this, here you go Dave.

when HTTP_REQUEST {
    set apm_cookie [HTTP::cookie value MRHSession]
    if { $apm_cookie != "" && ! [ACCESS::session exists $apm_cookie] }
        {
            ACCESS::session modify -sid $apm_cookie -timeout 1
            
            if { [ACCESS::session exists $apm_cookie] } {
            ACCESS::session remove -sid $apm_cookie
            }
            
            set close_url "test.idp.abc.com/login/signout"
			set uri "/wps/unauth/home"
			HTTP::respond 302 Location "https://$close_url?fromURI=https://[HTTP::host]$uri" "Cache-Control" "no-cache, must-revalidate" "Set-Cookie" "MRHSession=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\"" "Set-Cookie" "LastMRH_Session=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\"" "Set-Cookie" "F5_ST=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\""
        }
}