Forum Discussion

smilanko_261688's avatar
smilanko_261688
Icon for Cirrus rankCirrus
Jun 09, 2016
Solved

Knowing the originating request

I am unsure as to how I can correctly phrase this question, so bear with me here.

 

The way my current application works is as follows.

 

When a user hits a webpage, www.mydomian.com , it hits the F5 VS endpoint. They are presented with a F5 login form that does AD authentication. If successful, F5 grabs the AD roles they belong to, and the entered username, and injects it into the header of the request for the application to process.

 

Now, this all works just fine as expected. My application reads the headers, and let's the user perform actions based on what data was received in the header. Now, I want to implement a "logout" feature for the application, where the F5 client side connection is terminated.

 

The documentation of F5 provides a solution to this, where we can add a logout url to the Access Policy configuration. When a user hits some url, they are logged out, after a predefined timout period. While this is a good solution, I am looking something to meet the following scenario:

 

After the user is done performing actions in F5, he clicks logout. Logout action wipes the headers and redirects back to F5. (I can do all of this in the application without a problem) The trick here is that the user is never accessing a url when they click logout, as in, the url does not change. So I am unaware as to how I can alter F5 that the session needs to end for that particular client connection.

 

Ideas: One way I was thinking about solving this problem, is by adding an additional header once the logout process initiates in the application. For the purpose of this question, we can call it "action" = "logout" . If this is the case, then I can attach an iRule to the VS, and for every http_request check if that header exists; in which case, the session should be deleted.

 

Is this a good solution to make this work? Is there a better way to alert F5 that a session needs to end, without relying on the uri, that would work in a better way for my header based authentication?

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Jun 09, 2016

    "...The trick here is that the user is never accessing a url when they click logout..."

     

    So, you have some JS stuff that is running I guess. There are some options:

     

    • Can you call an ajax request here (onclick, etc) to push the logout request to APM?
    • You can delete the user's session cookie with JS. But it must not be HTTPONLY in that case. And if you can't inform the APM that the session is deleted, then you have an idle session sticking around until the idle timeout.
    • You can delete the APM session in irules if you want, but you have to simultaneously issue a set-cookie header to the client (or do it with JS) in order to delete the client's cookie, or it will try to access the APM with a bad session ID.

    Your header idea is a little bit unconventional, but could work. How are you getting the client to add headers to its request or is it the server's response?

     

3 Replies

Sort By
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Jun 09, 2016

    "...The trick here is that the user is never accessing a url when they click logout..."

     

    So, you have some JS stuff that is running I guess. There are some options:

     

    • Can you call an ajax request here (onclick, etc) to push the logout request to APM?
    • You can delete the user's session cookie with JS. But it must not be HTTPONLY in that case. And if you can't inform the APM that the session is deleted, then you have an idle session sticking around until the idle timeout.
    • You can delete the APM session in irules if you want, but you have to simultaneously issue a set-cookie header to the client (or do it with JS) in order to delete the client's cookie, or it will try to access the APM with a bad session ID.

    Your header idea is a little bit unconventional, but could work. How are you getting the client to add headers to its request or is it the server's response?

     

    • smilanko_261688's avatar
      smilanko_261688
      Icon for Cirrus rankCirrus
      Jun 09, 2016
      "So, you have some JS stuff that is running I guess" Correct. Can you call an ajax request here (onclick, etc) to push the logout request to APM? I could, but I am unsure how one would "push the logout request to APM" ? Could you clarify that a bit more? How are you getting the client to add headers to its request or is it the server's response? The headers are originally added by F5 when a successful authentication occurs. In my application, I can also set/read/modify the headers by intercepting all requests to my application through spring security AbstractPreAuthenticatedProcessingFilter. Alternative methods to let APM know that the session is complete would really answer my question.
    • Lucas_Thompson_'s avatar
      Lucas_Thompson_
      Historic F5 Account
      Jun 09, 2016
      I'd keep it simple and do as much in the frontend as you can. So the frontend client JS can delete the APM session cookie (MRHSession). At the same time you can also tell the client to do an XHR to the APM logout URI (I meant this when I said "push the logout request". APM has a built-in one that's "https://apm.host.name/my.logout.php3" or you can define another one. This will make APM delete the session. So then you've accomplished a complete logout. Then you can do whatever you like with the client code, like display a logout page or 302 the user to the APM login page again, or whatever. ...Or you can make it super simple and just have the logout button do a "window.location('https://apm.host.name/my.logout.php3);" call, then you'd get APM's logout page which you could customize however you want.