For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

amolari_4313's avatar
amolari_4313
Icon for Nimbostratus rankNimbostratus
Mar 12, 2014

logout URI

some threads about that already but they do not answer my question. Because the APM function "logout URI" is an exact match "equals" and it doesn't fit my use-case, I need to write an iRule. I've seen that previous threads "fight" themselves between those 2 variants

when ACCESS_ACL_ALLOWED {
    if { [HTTP::uri] ends_with "/?cmd=logout" } {
            ACCESS::session remove
        HTTP::redirect "https://[HTTP::host]"
    }
}

and the same but with HTTP_REQUEST

I'm not using APM+LTM but have WebApp resources (with or without webtop).I want to be sure that I perform the above but AFTER the original request has been sent to the backend (to perform the APM logout after the backend logout). I'm not sure it's the case with both iRule Events and my use-case (webapp/webtop).

application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
security

6 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 12, 2014

    Can you clarify "I'm not using APM+LTM"? It would appear that you are. In any case, if you're looking to remove the access session when the user requests a logout URI from the app, why not just use the Logout URI setting in the access policy itself?

     

  • amolari's avatar
    amolari
    Icon for Cirrostratus rankCirrostratus
    Mar 12, 2014

    I meant my backend is an APM web portal application (with and without webtops). The logout URI function is an "equal" match (for ex. "/SignOut.aspx") and I can't use that because my backend provides context-based logout URI (for ex. "abc/EN/SignOut.aspx") So I need to use an irule with an "ends_with" matching of the URI. I've been able to perform the logout of APm for the client with mentionned irule, but the logout request doesn't reach the backend.

     

  • John_Alam_45640's avatar
    John_Alam_45640
    Historic F5 Account
    Mar 12, 2014

    try inserting "*/SingOut.aspx" in the logout URI, just for the heck of it. see if it works. The "*" used to work at the end of the Start URI field.

    Otherwise, the HTTP_REQUEST event should catch the URI and kill the session:

    when HTTP_REQUEST {
   if { [HTTP::path] ends_with "SingOut.aspx"} {
       ACCESS::session remove
       return
      }
}
  • amolari's avatar
    amolari
    Icon for Cirrostratus rankCirrostratus
    Mar 13, 2014

    Thx. I've tried that some time ago. F5 support said not supported. I've open a RFE for that 

    440234 - [RFE][APM] add support for * wildcard character inside Logout URI
    I'll give a try with session remove

  • amolari's avatar
    amolari
    Icon for Cirrostratus rankCirrostratus
    Mar 13, 2014

    the above i rule works only partially: i get logged out of the session and the user sees the APM logout page with the errormsg "Invalid SessionID. Your session may have expired." I can live with that. But web application traces show that the backend server (sharepoint here) doesn't receive the GET .../SignOut.aspx, so my users do not get logged out of the application. Any idea?

     

  • amolari's avatar
    amolari
    Icon for Cirrostratus rankCirrostratus
    Jun 04, 2014

    F5 supports told me the "Logout URI" functionality is designed only for an LTM+APM deployment. For Portal access mode it's not supported. A BugID RFE exists for this additional support 

    Bug 339950 - [RFE] [APM] Logout URI support for Reverse-Proxy rewrite

    Open a case by F5 support and link it to this BugID if you need this functionality (as there's no workaround possible) Alexandre