Forum Discussion

Nimbostratus

May 31, 2016

iRule to clear session when traversing to new APM Profile

I have a request to add a "reset password" link on the logon page of our primary APM profile portal. I would like to have a link to a separate virtual server tied to a new APM profile which does not...

application delivery

BIG-IP Access Policy Manager (APM)

iRules

security

Yann_Desmarest_

Nacreous

Jun 01, 2016

Hi,

You need to set a special value for MRHSession and LastMRH_Session cookies in the response to the client. For example, you can respond like in my example below :

HTTP::respond 302 noserver "Location" "/logout" "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Set-Cookie "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" Set-Cookie "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/"

The domain value in the cookie depends on how the cookie was set the first time. If it's not provided during authentication, you should remove "domain=[HTTP::host]" in the command.

You can also wait for the backend response and reset the cookie values :

HTTP::cookie insert name value [path ] [domain ] [version <0 | 1 | 2>]

practical example :

HTTP::cookie remove MRHSession
HTTP::cookie remove LastMRH_Session
HTTP::cookie insert name MRHSession value "expired"
HTTP::cookie insert name LastMRH_Session value "expired"
HTTP::cookie expires MRHSession 0 absolute
HTTP::cookie expires LastMRH_Session 0 absolute

s_martin_253133
Nimbostratus
Jun 01, 2016
Appreciate the advice. I have attempted to insert the example lines into a HTTP_REQUEST part of an iRule on the target APM and am still seeing the original MRHSession/LastMRH_Session cookies persist captured by fiddler and shown below: LastMRH_Session=2a94e345 <-This "original" APM cookie will persist until I close the browser MRHSession=1674a7dc5d9cfea7897058ae2a94e345 <-This "original" APM cookie will persist until I close the browser LastMRH_Session=4860c635 <-These target APM cookie will change each time I reload the page which is desired MRHSession=4e66de30c150cdb553c1cced4860c635 <-These target APM cookie will change each time I reload the page which is desired The domain cookie on the original APM is "xxxxx.com" and the target APM is "passwordreset.xxxxx.com" Any other thoughts? Thanks
Yann_Desmarest_
Nacreous
Jun 01, 2016
Domain is the key! For example, Chrome will not allow you to delete a cookie without specifying the domain if the initial insertion was done by specifying the domain.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

iRule to clear session when traversing to new APM Profile

Recent Discussions

MAC address of deleted VS IP address still responsive

ports are showing open on online scanning tool

how to whitelist new source IP on F5 web UI access

TMSH Command to list ASM policies not attached to any virtual servers in all partitions

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Related Content

Path Traversal Detection

Agility sessions announced

DoS Profiles

Directory Traversal with Spring MVC on Windows (CVE-2018-1271)

FTP Session Logging

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS