Forum Discussion
NimbostratusHow to write an Irule to delete session cookies so that we can enhnace security level.
We have few admin URLs that we dont want to be accessed by a 3rd person after we logout from the application. So can we write an Irule to " set all cookies to expired state".
9 Replies
Hannes_RappDo you wish the cookies to be invalidated in client browser after the logout request?
Should get you started:
when HTTP_REQUEST { set logOut 0 set cookiesInRequest [HTTP::cookie names] if {[string tolower [HTTP::path]] ends_with '/logout.php'}{ set logOut 1 } } when HTTP_RESPONSE { if { $logOut == 1 }{ foreach aCookie $cookiesInRequest { HTTP::cookie expires $aCookie 1 absolute } } }
dipta_03_149731Thanks for responding Hannes..
Yes I would want to delete all session cookies whatever got established during a session . And this should work in all browsers be it IE or Chrome. Right now after we click on logout page we see a 302 redirect to page for instance. So what I want to do is:
Browser
GET /logout
VIP response
Set all cookies to expired
- Hannes_Rapp"Right now after we click on logout page we see a 302 redirect to https://xxx/logout page for instance". Seems like you can give it a try then, this iRule will let '/logout.php' request reach the end-server, and upon response, it will append Set-Cookie HTTP headers to the original response to make the client cookies expire. You do not need to force a HTTP response from F5 which would intercept the application response.
- dipta_03_149731
So Hannes its bit different here. We already have a page where we have put in all below things:
A) It causes the Reverse Proxy to kill the session B) Then it returns an HTML page to be displayed in the browser stating sesson has expired etc.
Now That HTML page currently includes javascript that will set all cookies to expired. Currently it is that javascript that (tries to) get rid of all the cookies. The idea with an Irule is to get rid of all cookies instead of a javascript running in the HTML page. Not only would this new approach be definitive and not affected by different javascript engines in different browsers, it would also allow us to enable httponly on all cookies.
- dipta_03_149731
And we want to use out /pkmslogout page in the Irule..
- dipta_03_149731
And we want to use out /pkmslogout page in the Irule..
- dipta_03_149731
Could I get some response please...
- dipta_03_149731
Ok I would consider a no solution from dev central here !! Lets see if we can resolve this Internally.
- Rami_307440
Hi, Were you able to solve this problem ? The only way to clear or change a session by the application as it's the only owner of that session. You may insert a new session, but the old session will remain unless you close the browser.
when HTTP_REQUEST { set logOut 0 if {(([HTTP::uri] ends_with "logout") or ([HTTP::uri] ends_with "logout.do")) } { set logOut 1 } } when HTTP_RESPONSE { if { $logOut == 1 } { set session_key "whatever0928340923any" HTTP::cookie insert name "session_id" value $session_key }Please let me know if you find a way to clear the session on logout using iRules.
Thanks,
