Forum Discussion
Alexander_01_13
Nimbostratus
Nimbostratusf5 sharepoint tenacious session issue
Good evening!
We are experiencing a security issue with our f5 sharepoint deployment. I have used the iapp f5.microsoft_sharepoint_2010, Software Version is BIG-IP 11.4.1 Build 608.0 Final
The problem is that once a browser session is established, it will continue even though the browser is closed and even if the client is rebooted. When I call up the url of the sharepoint it will connect me without asking for authentication.
How can I achieve that upon closing the browser the session becomes invalid?
Thanks for advice! Alex
Matthew_Dale_11Your iRule would be better since it's looking for 'contains' which would match.
Alexander_01_13Good Idea!
I will submit an RFE.
Chew_Bacca_1523What is the RFE ?
There is an existing RFE for wildcard entries in the APM logout URI. Until that is implemented, an iRule is probably the way to go.
Is it feasible to use policy to force deletion of browser cookies upon exit, until APM supports detecting it automatically?
- Alexander_01_13Hey Mike. How can I use policy to delete the session cookie? Any measure to delete abandoned sessions is welcome! Regards, Alex
You can use Group Policy to force deletion of Temporary Internet Files when the broswer is closed. This is located under User Configuration>Policies>Administrative Templates>Windows Components>Internet Explorer>Internet Control Panel>Advanced Page. I believe this should delete the persistent cookies (session cookies are deleted automatically when the browser closes).
This is only going to work if your clients are joined to a domain and using IE.
- Alexander_01_13Oh, I thought I could enforce the setting on the big ip. Changing group policies would affect only windows machines and only internet explorer and only our own machines, which we believe to be relatively secure. Also there may be users that are used to the cookie persistence and would miss it badly. So, it is no option, I regret.
APM does offer client-side enpoint security tools that can delete sessions/temp files when the browser is closed, but AFAIK these are only available when using SSL VPN, and only for IE. Right now, the only way to kill a session after the browser is closed w/o logging out is to use the session inactivity timeout setting.
- Matthew_Dale_11
What we need is a proper solution, I'm sure there's more people than just us here that have wanted to run Sharepoint via F5 with the security levels that ISA provided maintained.
F5 support suggested I investigate adding Javascript to Sharepoint which would erase cookies on "onbeforeload" which might be doable but then do you want to modify the application when you know the cookie is set from the F5?
What you'd need is an irule to see if you had any sessions open and if not then delete the Sharepoint specific cookie (Since I dont think you'd be to popular removing all cookies from anyones machine).
If I come up with a solution I'll be sure to post back..
We don't have any way to delete cookies from a client machine using an iRule. We can delete APM sessions using iRules, or even return an expired cookie, but we don't have any criteria to differentiate a session from a closed browser vs one that has just been inactive for a bit. That's why you need a client agent of some sort.
If you delete the APM cookie on "onbeforeload", doesn't that leave the cookie in the browser store where it could be used by a different user (this is the way Office apps can use existing sessions to edit documents)?
Wanting to remove all cookies from the machine on exit is pretty common in the public computer/kiosk scenario. I'm assuming that's what we're talking about here, correct? You wouldn't have much need for this on a trusted machine.
Mathieu_125197Hello guys, I have the same issue, i have created the irule to delete the session when the browser it's closed but i have a another issue when close the file ( Word, Excel..) , see below the irule: when SERVER_CLOSED { log local0. "Server Connection Closed to [IP::server_addr]." ACCESS::session remove log local0. "TCP Connection Closed to [IP::client_addr]." } But, when i open/editing the file and when close the file, the irule is invoked but drop the global session and the cookie so after i don't have access to the web site. So, have you any update for this case. Regard's- SERVER_CLOSED is triggered when the server-side connection is closed. You wouldn't want to do that for exactly the reason you mentioned. Your browser session shouldn't even stay valid since the APM session is killed every time a back-end connection is closed. I'll ask around about a possible RFE for this, but AFAIK it's not easy to do or even possible w/o the Edge client.
- theXfactor82_91
Anybody find a solution to this yet? We are rolling out Sharepoint in the next little while and have come across the same issue.
- kj07208_118528
Cirrus
Thanks this was an awesome discussion I too ran into some of these snags and asked a F5 Engineer to look into this. Also has anyone tried this from other browsers then IE? The office integration is not working for me if another browser of other then IE (I guess because where IE stores the cookies is different then Firefox and Chrome).
- Matthew_Dale_11
I believe it only works in IE.
This is true even when not using F5 in my experience (currently through ISA only IE has the office integration, FireFox just downloads the file).
