Forum Discussion

smilanko_261688's avatar
smilanko_261688
Icon for Cirrus rankCirrus
Jun 09, 2016

Knowing the originating request

I am unsure as to how I can correctly phrase this question, so bear with me here.   The way my current application works is as follows.   When a user hits a webpage, www.mydomian.com , it hits...
application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Jun 09, 2016

    "...The trick here is that the user is never accessing a url when they click logout..."

     

    So, you have some JS stuff that is running I guess. There are some options:

     

    • Can you call an ajax request here (onclick, etc) to push the logout request to APM?
    • You can delete the user's session cookie with JS. But it must not be HTTPONLY in that case. And if you can't inform the APM that the session is deleted, then you have an idle session sticking around until the idle timeout.
    • You can delete the APM session in irules if you want, but you have to simultaneously issue a set-cookie header to the client (or do it with JS) in order to delete the client's cookie, or it will try to access the APM with a bad session ID.

    Your header idea is a little bit unconventional, but could work. How are you getting the client to add headers to its request or is it the server's response?

     

Lucas_Thompson_'s avatar
Lucas_Thompson_
Historic F5 Account

"...The trick here is that the user is never accessing a url when they click logout..."

 

So, you have some JS stuff that is running I guess. There are some options:

 

  • Can you call an ajax request here (onclick, etc) to push the logout request to APM?
  • You can delete the user's session cookie with JS. But it must not be HTTPONLY in that case. And if you can't inform the APM that the session is deleted, then you have an idle session sticking around until the idle timeout.
  • You can delete the APM session in irules if you want, but you have to simultaneously issue a set-cookie header to the client (or do it with JS) in order to delete the client's cookie, or it will try to access the APM with a bad session ID.

Your header idea is a little bit unconventional, but could work. How are you getting the client to add headers to its request or is it the server's response?

 

smilanko_261688's avatar
smilanko_261688
Icon for Cirrus rankCirrus
Jun 09, 2016
"So, you have some JS stuff that is running I guess" Correct. Can you call an ajax request here (onclick, etc) to push the logout request to APM? I could, but I am unsure how one would "push the logout request to APM" ? Could you clarify that a bit more? How are you getting the client to add headers to its request or is it the server's response? The headers are originally added by F5 when a successful authentication occurs. In my application, I can also set/read/modify the headers by intercepting all requests to my application through spring security AbstractPreAuthenticatedProcessingFilter. Alternative methods to let APM know that the session is complete would really answer my question.