For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Cory_O_150882's avatar
Cory_O_150882
Icon for Nimbostratus rankNimbostratus
Jan 24, 2016

Inactivity Timeout - MultiDomSSO With Persistent MRHSession Cookies

Good morning! I was looking to modify our SharePoint solution published through APM so that in the event of a user utilizing multiple tabs, a logout from one will simply shorten the Inactivity Time...
application delivery
BIG-IP Access Policy Manager (APM)
iRules
Cory_O's avatar
Cory_O
Icon for Cirrus rankCirrus
Jan 25, 2016

Kai Wilke is a genius! I've implemented the iRule snippet under a HTTP_REQUEST Event with a couple simple modifications:

 

if { [set slo_lifetime [table lifetime -remaining "slo_[ACCESS::session sid]"]] eq "" } then {
    if { [HTTP::uri] ends_with "/_layouts/SignOut.aspx" } {
        table set "slo_[ACCESS::session sid]" "1" indef 1860
    }
} else {
    if { $slo_lifetime < 1560 } then {
        ACCESS::session remove
        HTTP::respond 302 Location "/vdesk/hangup.php3"
    }
    table delete "slo_[ACCESS::session sid]"
}

 

The originally proposed code ran a table lookup -notouch command which only pulled the established value of "1". I changed this to table lifetime -remaining which now polls the table entry for its remaining lifetime. Also, since I wanted a 5 minute buffer between logging out and the session expiring, I changed the second value to subtract 300 instead of 900.

Bottom line; this thing is working BEAUTIFULLY. Top marks to Kai, and thank you!

-Cory