Forum Discussion
Is "ACCESS::session remove" an asynchronous iRule command?
- Jun 05, 2019
Looks like another engineer I work with may have found the answer. The command is behaving differently than when I used it in the past (versions 12 and below) but not necessarily because it's asynchronous. It looks more likely that it's simply failing to process in a timely fashion due to this Bug ID. I am calling it in the HTTP_REQUEST event, which is outside the ACCESS events, and my version is 13, which is affected. So it looks like I meet the criteria to hit the bug.
I've decided to try to work around this by simply deleting the user's MRHSession cookie (this is the name of APM's session cookie) during the next HTTP response, which has the effect of killing off their access to the session, while allowing them to keep browsing to unprotected areas of the site. Hopefully this information and the workaround will be of use to others who may run into this bug.
Bug ID 697590: APM iRule ACCESS::session remove fails outside of Access events
Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5, 14.1.0, 14.1.0.1, 14.1.0.2, 14.1.0.3, 14.1.0.4, 14.1.0.5, 15.0.0
Opened: Dec 05, 2017
Severity: 3-Major
Symptoms
ACCESS::session remove fails
Impact
APM iRule ACCESS::session remove fails to remove session
Conditions
iRule calling ACCESS::session remove outside of Access events.
Workaround
Use "ACCESS::session modify" and set the timeout/lifetime to something small, like 1 second. This should cause the session to be deleted due to timeout almost immediately, but note that it will show up in logs as timeout.
Fix Information
None
The hangup page is not really a substitute for the iRule command. The hangup page is used when you want the user to log out, and you want to send them an actual logout page and basically stop the flow of all their traffic.
The iRule "ACCESS::session remove" command is used for very different use cases. It is used when you want to end a session based on some condition you see in the traffic, but you don't want to interrupt the flow of the user's browsing by redirecting them and stopping them cold on the logout page. That's the scenario I'm in, so calling the logout page would not be an acceptable substitute.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com