Forum Discussion
s_martin_253133
Nimbostratus
NimbostratusiRule to clear session when traversing to new APM Profile
I have a request to add a "reset password" link on the logon page of our primary APM profile portal. I would like to have a link to a separate virtual server tied to a new APM profile which does not require a login and instead would walk users through an APM decision tree depending on their account type (employee vs. contractor) ultimately sending them to the appropriate 3rd party password reset location.
I have struggled to purge the primary APM profile logon page session cookie using an iRule as it seems to persist even when running the commands below:
HTTP::cookie remove MRHSession
ACCESS::session remove
Any help would be appreciated.
Thank you
Please be gentle I'm new to this.
Yann_Desmarest_Nacreous
Hi,
You need to set a special value for MRHSession and LastMRH_Session cookies in the response to the client. For example, you can respond like in my example below :
HTTP::respond 302 noserver "Location" "/logout" "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Set-Cookie "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" Set-Cookie "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/"The domain value in the cookie depends on how the cookie was set the first time. If it's not provided during authentication, you should remove "domain=[HTTP::host]" in the command.
You can also wait for the backend response and reset the cookie values :
HTTP::cookie insert name value [path ] [domain ] [version <0 | 1 | 2>]
practical example :
HTTP::cookie remove MRHSession HTTP::cookie remove LastMRH_Session HTTP::cookie insert name MRHSession value "expired" HTTP::cookie insert name LastMRH_Session value "expired" HTTP::cookie expires MRHSession 0 absolute HTTP::cookie expires LastMRH_Session 0 absolute
s_martin_253133Appreciate the advice. I have attempted to insert the example lines into a HTTP_REQUEST part of an iRule on the target APM and am still seeing the original MRHSession/LastMRH_Session cookies persist captured by fiddler and shown below: LastMRH_Session=2a94e345 <-This "original" APM cookie will persist until I close the browser MRHSession=1674a7dc5d9cfea7897058ae2a94e345 <-This "original" APM cookie will persist until I close the browser LastMRH_Session=4860c635 <-These target APM cookie will change each time I reload the page which is desired MRHSession=4e66de30c150cdb553c1cced4860c635 <-These target APM cookie will change each time I reload the page which is desired The domain cookie on the original APM is "xxxxx.com" and the target APM is "passwordreset.xxxxx.com" Any other thoughts? Thanks- Yann_Desmarest_Domain is the key! For example, Chrome will not allow you to delete a cookie without specifying the domain if the initial insertion was done by specifying the domain.
Yann_DesmarestCirrus
Hi,
You need to set a special value for MRHSession and LastMRH_Session cookies in the response to the client. For example, you can respond like in my example below :
HTTP::respond 302 noserver "Location" "/logout" "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Set-Cookie "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" Set-Cookie "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/"The domain value in the cookie depends on how the cookie was set the first time. If it's not provided during authentication, you should remove "domain=[HTTP::host]" in the command.
You can also wait for the backend response and reset the cookie values :
HTTP::cookie insert name value [path ] [domain ] [version <0 | 1 | 2>]
practical example :
HTTP::cookie remove MRHSession HTTP::cookie remove LastMRH_Session HTTP::cookie insert name MRHSession value "expired" HTTP::cookie insert name LastMRH_Session value "expired" HTTP::cookie expires MRHSession 0 absolute HTTP::cookie expires LastMRH_Session 0 absolute- s_martin_253133Appreciate the advice. I have attempted to insert the example lines into a HTTP_REQUEST part of an iRule on the target APM and am still seeing the original MRHSession/LastMRH_Session cookies persist captured by fiddler and shown below: LastMRH_Session=2a94e345 <-This "original" APM cookie will persist until I close the browser MRHSession=1674a7dc5d9cfea7897058ae2a94e345 <-This "original" APM cookie will persist until I close the browser LastMRH_Session=4860c635 <-These target APM cookie will change each time I reload the page which is desired MRHSession=4e66de30c150cdb553c1cced4860c635 <-These target APM cookie will change each time I reload the page which is desired The domain cookie on the original APM is "xxxxx.com" and the target APM is "passwordreset.xxxxx.com" Any other thoughts? Thanks
- Yann_DesmarestDomain is the key! For example, Chrome will not allow you to delete a cookie without specifying the domain if the initial insertion was done by specifying the domain.
- Walter_Kacynski
Cirrostratus
I might suggest that you try to set the domain cookie on the new access profile to the "host" of this new virtual server. This will limit the scope of the session to only this virtual. Depending on cookie usage from our first domain, this would eliminate the cookie collision on the client browser as it would be more specific than the root domain scope.
- Yann_Desmarest
You can specify the domain as follow :
HTTP::cookie remove MRHSession HTTP::cookie remove LastMRH_Session HTTP::cookie insert name MRHSession value "expired" / "xxxx.com" HTTP::cookie insert name LastMRH_Session value "expired" / "xxxx.com" HTTP::cookie expires MRHSession 0 absolute HTTP::cookie expires LastMRH_Session 0 absoluteThere is a bug in APM where the built-in logout feature will fail if you specify a domain in the Domain cookie settings under "SSO/Auth Domains" of your access profiles. If you remove the domain cookie from the configuration, the built-in logout feature will works fine.
- Yann_Desmarest
One additional thing, you may need to do VIP1 targeting VIP2. The VIP2 has the access profile and the VIP1 has the irule.
to do vip targeting vip, you need to add in your irule the following command
virtual vs_2
