Forum Discussion

Nimbostratus

May 31, 2016

iRule to clear session when traversing to new APM Profile

I have a request to add a "reset password" link on the logon page of our primary APM profile portal. I would like to have a link to a separate virtual server tied to a new APM profile which does not...

application delivery

BIG-IP Access Policy Manager (APM)

iRules

security

Yann_Desmarest_

Nacreous

Jun 01, 2016

Hi,

You need to set a special value for MRHSession and LastMRH_Session cookies in the response to the client. For example, you can respond like in my example below :

HTTP::respond 302 noserver "Location" "/logout" "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Set-Cookie "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" Set-Cookie "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/"

The domain value in the cookie depends on how the cookie was set the first time. If it's not provided during authentication, you should remove "domain=[HTTP::host]" in the command.

You can also wait for the backend response and reset the cookie values :

HTTP::cookie insert name value [path ] [domain ] [version <0 | 1 | 2>]

practical example :

HTTP::cookie remove MRHSession
HTTP::cookie remove LastMRH_Session
HTTP::cookie insert name MRHSession value "expired"
HTTP::cookie insert name LastMRH_Session value "expired"
HTTP::cookie expires MRHSession 0 absolute
HTTP::cookie expires LastMRH_Session 0 absolute

s_martin_253133
Nimbostratus
Jun 01, 2016
Appreciate the advice. I have attempted to insert the example lines into a HTTP_REQUEST part of an iRule on the target APM and am still seeing the original MRHSession/LastMRH_Session cookies persist captured by fiddler and shown below: LastMRH_Session=2a94e345 <-This "original" APM cookie will persist until I close the browser MRHSession=1674a7dc5d9cfea7897058ae2a94e345 <-This "original" APM cookie will persist until I close the browser LastMRH_Session=4860c635 <-These target APM cookie will change each time I reload the page which is desired MRHSession=4e66de30c150cdb553c1cced4860c635 <-These target APM cookie will change each time I reload the page which is desired The domain cookie on the original APM is "xxxxx.com" and the target APM is "passwordreset.xxxxx.com" Any other thoughts? Thanks
Yann_Desmarest_
Nacreous
Jun 01, 2016
Domain is the key! For example, Chrome will not allow you to delete a cookie without specifying the domain if the initial insertion was done by specifying the domain.