Forum Discussion
LTM+APM session expired detection
Hi,
When deploying APM in SSL VPN mode, a javascript is inserted to webtop and ressources responses to poll /vdesk/timeoutagent-i.php, detect session timeout and redirect to logout URI /vdesk/hangup.php3?hangup_error=1
When deploying in LTM+APM mode, the user is not redirected to logout URI and this may generate strange behavior when user try to request again the server:
In Outlook Web App and Sharepoint, the application seems unresponsive and the message "Access policy evaluation is already in progress" appears when trying to refresh the page.
I was trying to insert javascript code in HTTP_RESPONSE to create the same behavior of SSL VPN mode unsuccessfully.
when HTTP_REQUEST {
Disable the stream filter for all requests
STREAM::disable
LTM does not uncompress response content, so if the server has compression enabled
and it cannot be disabled on the server, we can prevent the server from
sending a compressed response by removing the compression offerings from the client
HTTP::header remove "Accept-Encoding"
}
when HTTP_RESPONSE {
if {([HTTP::header Content-Type] starts_with "text/")} {
STREAM::expression "@@@"
STREAM::enable
}
}
when STREAM_MATCHED {
Once we've hit one match, disable the stream filter for the rest of the response
log local0. "APM Timeout javascript : script inserted"
STREAM::disable
}
Is there another solution? Does anyone tried to do the same successfully?
- youssef1Cumulonimbus
Hello Stanislas,
I think I understand your problem/unexpected behaviour. First what do you do with OWA or Sharepoint is Web Access Management and not VPNSSL (You confirm). Because VPNSSL (Webtop) manage correctly timeout for all your ressources.
You have to now 1 thing when you obtain the error that you've Evoked: "Access policy evaluation is already in progress"
It means that an access process is already underway. for example if you try to access a service protected by APM Module (Access Policy) by the following url: https://app.domain.com/app
And you don't finalize access policy. Then for example you open a new tab and you enter another URI https://app.domain.com/app2
You will obtaine the following error message: "Access policy evaluation is already in progress" Because you try to access to an application with another landing uri without finished the privious attempt.
So that you obtain for OWA and Sharepoint is normal in my opinion (I already had the case). I'll explain what's going on:
-
Your user is connected correctly to Sharepoint through F5 (with access policy).
-
the session timeout is reached. And this apm session is finished.
-
the problem is that the user is not aware of this because the timeout is reached.
-
So user the user will want to continue to use the application (sharepoint) normally. but when it will click on a link on his browser in rear plan it is redirected on: https://app.domain.com/my.policy (if you do a capture you can see it)
Today several application are developed with bootstrap, angularjs, ajax, json... (not html/txt) and the redirection can't opere for the entire page... and we get this kind of problem.
I hoped I was clear enough. If you have question don't hesitate, it's very important that you understant this comportment...
For this kind of problem I developed an irule that manage session. If you are interesting keep me update.
Regards
-
- Stanislas_Piro2Cumulonimbus
Hi,
To force browser to detect session closed, I wrote the following irule:
when RULE_INIT { set static::jscript {} } when ACCESS_ACL_ALLOWED { Disable the stream filter by default if { [catch {STREAM::disable}] } {log local0. "Streem disable error"} set insertJscript 0 HTTP::header remove "Accept-Encoding" set authenticated 1 } when HTTP_RESPONSE { if {[info exists authenticated] && ([HTTP::status] == 200) && ([HTTP::header value Content-Type] contains "text")} { set insertJscript 1 STREAM::expression "@@$static::jscript@" STREAM::enable } if {[HTTP::header exists "Transfer-Encoding"]} { HTTP::payload rechunk } } when STREAM_MATCHED { Once we've hit one match, disable the stream filter for the rest of the response if { $insertJscript} { log local0. "Session Closed detection : Javascript inserted" STREAM::disable } }
I imported the following javascript file in Hosted content (named detect_session_close.js):
function detectSessionClosed() { var rq = new XMLHttpRequest(); rq.open("GET","/vdesk/timeoutagent-i.php",false); rq.send(null); if (rq.status === 404) { window.location.assign("/vdesk/hangup.php3"); } } setInterval( detectSessionClosed, 30000);
It request timeoutagent-i.php every 30 seconds (without extending the APM session) and redirect to logout page if the session is closed.
- lplisonNimbostratus
Hello Stanislas_Piro2 ,
The hosted content is only available for webtop and the webtop is not available in LTM+APM mode as far as I understood.
So, what would be the best way to inject the JavaScript in LTM+APM mode?
Thanks for sharings
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com