For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Zero_86762's avatar
Zero_86762
Icon for Nimbostratus rankNimbostratus
Jan 22, 2013

Help with iRule - APM Logout Sequence + Redirect

 

Environment = SAP Netweaver (LTM/APM)

 

Logout URI configured iRule redirects users to hangup.php3 but does not remove session cookies. This allows users the capability to access the servers directly (bypassing the APM) and need help.

 

I'm not sure we are doing this the best way. We got it to function, but since the session cookies are not being removed. It seems to be the order of execution. The redirect to hangup.php3 is executed before the REMOVE cookies command is able to execute.

 

As it is today this will never get passed the Network Security team. Any advice would be appricated, here's what happens:

 

User hits the Logout button (defined in APM access policy as the Logout URI), this is the LogOutComponent defined in the iRule as well. Nothing really happens without the iRule. When we use this iRule it removes the session from the APM but the problem is the SAP cookie's are still their and the user can simply access the servers directly (servers are not in a secure vlan)

 

So we need a way to have the redirect happen after the REMOVE Cookie portion. But it is all part of the same response so I'm not sure this is the correct way of doing it.

 

The only cookie that we really need removed is the MYSAPSSO2. The others would be nice, i can upload a screen shot of fiddler if that helps. (where you can see the redirect to hangup and it still has the cookies)

 

when HTTP_REQUEST {

 

this will redirect users to the login screen if user is logging out

 

if {[] == "/irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.masthead.LogOutComponent"} {

 

log local0.info "ABC - logging off from portal"

 

 

ACCESS::session data set "session.user.esssso" "done"

 

 

remove session info

 

ACCESS::session remove

 

 

set removeCookiesFlag "YES"

 

 

send to login screen, hard coded for now

 

HTTP::redirect "https://abc.com/"

 

}

 

}

 

 

when HTTP_RESPONSE {

 

session is over, remove all cookies

 

if {[ACCESS::session data get "session.user.esssso"] == "done"} {

 

log local0.info "ABC - deleting Portal cookies"

 

 

remove all SAP cookie

 

remove "SAPSSO"

 

 

remove sso cookie

 

"ess_login" "not allowed"

 

 

remove session info

 

ACCESS::session remove

 

 

HTTP::close

 

HTTP::redirect "https://abc.com/my.policy"

 

"https://abc.com/vdesk/hangup.php3"

 

}

 

}

 

application delivery
dev
devops
iRules

1 Reply

  • Zero_86762's avatar
    Zero_86762
    Icon for Nimbostratus rankNimbostratus
    Jan 23, 2013

    I tried to encrypt the cookie thinking this would be a good work around. And it does allow the user to log off and even if they have the cookie it is now encrypted.

     

    The problem is without removing the cookies, if the user tries to log back in gets load balanced to another server, the session is invalid. He never gets the new cookie (when they login) because he already has it.

     

    Doh, I thought i had a good solution, but back to the drawing board...