Forum Discussion
iRule to restart APM session
Hello,
I'm deploying an environment where two separate portals, both published via F5 with separate access profiles, are hosted on the same F5 platform.
There's hyperlinks in one of them that link to resources in the other portal. User will need to authenticate (separate authentication from the first portal) to see the resources.
The problem I'm facing is that when hyperlink is clicked, F5 believes this is a hijacking attempt. It resets the authentication session previously opened for the first portal, and shows an error on the second logon page stating that the session was reset (showing ID for the session opened beforehand on the first portal). Clicking the "Start a new session" button does not restart authentication succesfully.
I've noticed the only way to make it work will be opening a session on the second portal in the new page, then clicking the hyperlink will display "invalid username and password" and prompt for new authentication.
I've thought about writing an iRule that drops&restarts authentication session if HTTP::referrer header is populated with the first portal, but I'm struggling to do so (so far I'm stuck in a redirect loop).
Can anyone please help me with that?
So far it looks like
when ACCESS_SESSION_STARTED {
if {[HTTP::header value Referer] equals "https://firstsite/" } {
ACCESS::session remove
ACCESS::respond 302 noserver Location "/"
return
}
}
Thanks in advance
CA
solved with brand new code to manage cookies.
solved with brand new code to manage cookies.
- CayOnWayNimbostratus
HI CA,
have you the iRule at hand that solves the problem to remove an apm session?
Cheers,
Cay
Hello Cay, what do you need to achieve?
I do have some working code, but I remember tuning this iRule to be specific for my scenario.- CayNimbostratus
Hello CA,
I use the APM my.policy to perform Oauth2 Azure authorization. We would like to be able to login and logout users from the APP. With both I stumbled upon ACCESS::session and found your article. So I tried to logout a user with ACCESS::session remove at HTTP_REQUEST, HTTP_RESPONSE. You suggest ACCESS_SESSION_STARTED, but this never worked and I think it is too early. If you have a codlet with the events I could dig deeper.
I hope this helps you to help me :-).
Cheers,
Cay
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com