Forum Discussion
bhs_114985
Jan 05, 2015Historic F5 Account
Here is a slightly modified iRule that is confirmed working as of 11.6HF1
when RULE_INIT {
set static::access_debug 0
set static::logonpage "https://CTX.COMPANY.COM/YOUR_CITRIX_XENAPP/"
set static::logoff_timeout "/YOUR_CITRIX_XENAPP/site/logout.aspx?ctx_timeout"
set static::logoff_user "/YOUR_CITRIX_XENAPP/site/logout.aspx"
}
when HTTP_REQUEST {
log "[string tolower [HTTP::path]]"
if {$static::access_debug > 1 } { log "uri=[HTTP::uri] | session=[ACCESS::session sid] | client=[IP::client_addr]:[TCP::client_port]" }
Has the user logged off?
if {[string tolower [HTTP::uri]] starts_with $static::logoff_timeout} {
set ctx_timeout 1
if {$static::access_debug} { log "Detected logoff!" }
need to track the sessionID because after the redirect has been sent, the browser may use an
already established (access granted) tcp connection that will be allowed through ACCESS_ACL_ALLOED.
table add "ctxloggedoutsessions_[ACCESS::session sid]" 1 60 90
store the APM session cookies from the request.
if {[HTTP::cookie exists "MRHSession"]} {
set MRHSession [HTTP::cookie MRHSession]
if {$static::access_debug} { log "MRHSession=$MRHSession" }
}
if {[HTTP::cookie exists "LastMRH_Session"]} {
set LastMRH_Session [HTTP::cookie LastMRH_Session]
if {$static::access_debug} { log "LastMRH_Session =$LastMRH_Session " }
}
}
if {([string tolower [HTTP::uri]] starts_with $static::logoff_user) && ![info exists ctx_timeout]} {
after 2000 { ACCESS::session remove}
log local0. "Session manually logging out"
}
}
when HTTP_RESPONSE {
set sessionstatus [table lookup "ctxloggedoutsessions_[ACCESS::session sid]"]
check if this reponse is for a session that has been marked as logged off.
if { $sessionstatus == 1 } {
yes, user has logged off.
if {$static::access_debug} { log "Found session [ACCESS::session sid] in table" }
set cookieheaders ""
prepare the APM session cookies to be expired by setting the date to UNIX TS 0
if { [info exists MRHSession] } {
set cookieheaders "MRHSession=$MRHSession;expires=Thu, 01-Jan-1970 00:00:00 GMT;path=/;"
if {$static::access_debug} { log "setting cookie, MRHSession" }
unset MRHSession
}
if { [info exists LastMRH_Session] } {
set cookieheaders "$cookieheaders\r\nSet-Cookie: LastMRH_Session=$LastMRH_Session;expires=Thu, 01-Jan-1970 00:00:00 GMT;path=/;"
if {$static::access_debug} { log "setting cookie, LastMRH_Session" }
unset LastMRH_Session
}
Loop through all other cookies which are set in the repsonse, and expire those as well.
This does not seem to be needed.
if {$static::access_debug} { log "looping cookies..." }
foreach orgCookieName [HTTP::cookie names] {
if {$static::access_debug} { log "found cookie: $orgCookieName=[HTTP::cookie value $orgCookieName]" }
set cookieheaders "$cookieheaders\r\nSet-Cookie: $orgCookieName=[HTTP::cookie value $orgCookieName];expires=Thu, 01-Jan-1970 00:00:00 GMT;[HTTP::cookie path $orgCookieName];"
}
if {$static::access_debug} { log "Custom cookies: $cookieheaders" }
Send a redirect response to the client. With Connection: Close!
if { $cookieheaders != "" } {
HTTP::respond 302 Location "$static::logonpage" "Set-Cookie" $cookieheaders "X-OLL-CTX-LOGOUT" "1" "Connection" "Close"
} else {
HTTP::respond 302 Location "$static::logonpage" "X-OLL-CTX-LOGOUT" "1" "Connection" "Close"
}
}
}