Forum Discussion

Nimbostratus

May 31, 2016

iRule to clear session when traversing to new APM Profile

I have a request to add a "reset password" link on the logon page of our primary APM profile portal. I would like to have a link to a separate virtual server tied to a new APM profile which does not...

application delivery

BIG-IP Access Policy Manager (APM)

iRules

security

Yann_Desmarest_

Nacreous

Jun 01, 2016

Hi,

You need to set a special value for MRHSession and LastMRH_Session cookies in the response to the client. For example, you can respond like in my example below :

HTTP::respond 302 noserver "Location" "/logout" "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Set-Cookie "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" Set-Cookie "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/"

The domain value in the cookie depends on how the cookie was set the first time. If it's not provided during authentication, you should remove "domain=[HTTP::host]" in the command.

You can also wait for the backend response and reset the cookie values :

HTTP::cookie insert name value [path ] [domain ] [version <0 | 1 | 2>]

practical example :

HTTP::cookie remove MRHSession
HTTP::cookie remove LastMRH_Session
HTTP::cookie insert name MRHSession value "expired"
HTTP::cookie insert name LastMRH_Session value "expired"
HTTP::cookie expires MRHSession 0 absolute
HTTP::cookie expires LastMRH_Session 0 absolute

s_martin_253133

Nimbostratus

Jun 01, 2016

Appreciate the advice. I have attempted to insert the example lines into a HTTP_REQUEST part of an iRule on the target APM and am still seeing the original MRHSession/LastMRH_Session cookies persist captured by fiddler and shown below: LastMRH_Session=2a94e345 <-This "original" APM cookie will persist until I close the browser MRHSession=1674a7dc5d9cfea7897058ae2a94e345 <-This "original" APM cookie will persist until I close the browser LastMRH_Session=4860c635 <-These target APM cookie will change each time I reload the page which is desired MRHSession=4e66de30c150cdb553c1cced4860c635 <-These target APM cookie will change each time I reload the page which is desired The domain cookie on the original APM is "xxxxx.com" and the target APM is "passwordreset.xxxxx.com" Any other thoughts? Thanks

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

iRule to clear session when traversing to new APM Profile

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How can I get started with iCall

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Related Content

Citrix XenMobile Server– Path Traversal

MCP Session Affinity With F5 NGINX Plus

Path Traversal Detection

Confluence Arbitrary File Write via Path Traversal (CVE-2019-3398)

TLS Stateful vs Stateless Session Resumption

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS