Forum Discussion
f5 sharepoint tenacious session issue
Good evening!
We are experiencing a security issue with our f5 sharepoint deployment. I have used the iapp f5.microsoft_sharepoint_2010, Software Version is BIG-IP 11.4.1 Build 608.0 Final
The problem is that once a browser session is established, it will continue even though the browser is closed and even if the client is rebooted. When I call up the url of the sharepoint it will connect me without asking for authentication.
How can I achieve that upon closing the browser the session becomes invalid?
Thanks for advice! Alex
- Rob_28_145615Nimbostratus
Same problem here, SharePoint 2010 with persistent cookies enabled on F5 in order to allow editing in Office. Until solution is found we decided to set timeout to 5 minutes, then added JS code to SharePoint master page to retrieve an image every 4 and half minutes. This resets expiry on persistent cookie for another 5 minutes, cutting down to max 5 minutes chance of someone unauthorized accessing the site on public computer. Still this is a hole that should not be there. I understand users should always click on Sign Out, but that’s not guaranteed. Chances are most of them will close the browser and assume they are logged out. Also, we can’t rely on public computers to be set to delete permanent cookies on browser closing.
Suggestion for permanent solution, assuming session cookies are killed on closing a browser: Create one browser session cookie and one persistent cookie when starting a new session. When browser is closed, session cookie will be deleted. If someone reopens the browser and tries to access the site, F5 should check for both session and persistent cookies. If they don’t match or one is missing, F5 should kill the session.
- Mathieu_125197NimbostratusHi Rob 28, I have the same situation in my architecture, so your solution interest me , could you give us detail the action to put in place to resolve this ( Delete cookie), maybe you use the Irule?
- JariHNimbostratusHi, we faced the same problem with persistent APM session cookies. Customer is really mad. Users can access the web site after browser close. Does anyone have any template for this Cookie workaround that Rob 28 proposed above? It sounds like doable and valid solution, but I don't know correct events where that LB cookie should be created and where to be checked to prevent access to site. Thanks in advance
- BrettReed_16317Nimbostratus
HAs anyone found a way to make this work - we have the same issue - moving from TMG which allows you to set cookies depending on whether you are using a public or private computer. Firefox works correctly, IE works using "contains" iRule but cannot get Chrome or Opera browser to perform correctly with their default settings
- theXfactor82_91Nimbostratus
Opening up a ticket with F5 on this subject did not help. They indicated that this issue is a feature request and that if I provided them with the info below they would submit an RFE.
- Describe the new feature in as much detail as possible.
- What is the problem that would be resolved by adding this new feature?
- What is the business impact to your site due to the lack of this feature?
I'll jump through all the hoops but I'm not expecting any solution in the near future.
- mikeshimkus_111Historic F5 AccountHi, please send me a DevCentral pm with any RFE information provided to you by F5 (subcase , etc). I can follow its progress from the solutions engineering POV and gather additional customer evidence, if necessary.
This is f5 support answer for the issue: This is expected behaviour because the Sharepoint Deployment uses a Persistence Cookie which is required to edit/access Word,Excel,etc documents.The http client used by word,excel etc, must have access to the session cookie to pass through apm without getting redirected to the logon page. Transient cookies in browsers are not accessible by another program, as they are in memory. While persistent cookies are as stored in disk.
If you would not be editing documents in Sharepoint then you can disable the Persistence Cookie (Access Profile-->SSO/Auth Domains-->Cookie Options--->Persistent
Please be sure that you would not be editing documents in future as unchecking the Persistent Cookie would prevent you from this.If the above change is made,after closing the browser the session should be deleted.
Alternatively you could opt to use Portal Access for your deployment.
- MichaelatF5Employee
Not sure if this is too late, or helps at all, but I have had some success in a lab environment. Just attach a default stream profile and this irule.
This will inject some javascript into the bottom of the page the looks for a user to close the browser, then transparent redirect to SignOut.aspx, which APM interprets as a logout and terminates the session (and persistent cookies). May not work in all environments, and this code only supports IE. For Firefox and Chrome you have to return a message. http://stackoverflow.com/questions/9626059/window-onbeforeunload-in-chrome-what-is-the-most-recent-fix
when HTTP_REQUEST { Looks for SharePoint hangup, kills APM session. Could also set via Logout URI Include setting in APM. if { [string tolower [HTTP::uri]] contains "signout.aspx"} { ACCESS::session remove } STREAM::disable HTTP::header remove "Accept-Encoding" } when HTTP_RESPONSE { Check if response type is text if { [HTTP::header value Content-Type] contains "text" } { Define the stream replacement Change the 15 in the following line to the version of sharepoint being used 13 = 2007 / 14 = 2010 / 15 = 2013 STREAM::expression {@@ @} STREAM::enable } }
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com