Forum Discussion
Alexander_01_13
Nimbostratus
Nimbostratusf5 sharepoint tenacious session issue
Good evening!
We are experiencing a security issue with our f5 sharepoint deployment. I have used the iapp f5.microsoft_sharepoint_2010, Software Version is BIG-IP 11.4.1 Build 608.0 Final
...
We don't have any way to delete cookies from a client machine using an iRule. We can delete APM sessions using iRules, or even return an expired cookie, but we don't have any criteria to differentiate a session from a closed browser vs one that has just been inactive for a bit. That's why you need a client agent of some sort.
If you delete the APM cookie on "onbeforeload", doesn't that leave the cookie in the browser store where it could be used by a different user (this is the way Office apps can use existing sessions to edit documents)?
Wanting to remove all cookies from the machine on exit is pretty common in the public computer/kiosk scenario. I'm assuming that's what we're talking about here, correct? You wouldn't have much need for this on a trusted machine.
SERVER_CLOSED is triggered when the server-side connection is closed. You wouldn't want to do that for exactly the reason you mentioned. Your browser session shouldn't even stay valid since the APM session is killed every time a back-end connection is closed.
I'll ask around about a possible RFE for this, but AFAIK it's not easy to do or even possible w/o the Edge client.