For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Terrence's avatar
Terrence
Icon for Nimbostratus rankNimbostratus
Feb 04, 2013

OWA Timeout V2

Our institution is running Exchange 2010. Back in July I presented an irule that would provide a timeout mechanism based upon Exchange timing out the session. Since then this irule no longer funct...
microsoft
partner
Terrence's avatar
Terrence
Icon for Nimbostratus rankNimbostratus
Feb 05, 2013

I have made a few changes to the irule. Basically now everything that is /owa/.* will now get a HTTP::respond 440. Once I realized that I could put content on this response, I wanted everything that wasnt /owa/ to get this response. The reason being, now if a user has an email open, and the attempt to interact with after there session is timed out, I can now give them a message stating that there session has timedout, I can also tell them to log back in and give them a resubmit request link.

This is well down the road.

The only issue I have been able to find, which for me isnt really a big issue, is the following.

-user goes to site /owa/ and is redirected to /my.policy and session is created

- user then opens another window and goes to /owa/ a redirect loop occurs and there original session is destroyed

 when RULE_INIT {
     set static::cookie_sessionid [format "sessionid=null; path=/; Expires=Thurs, 01-Jan-1970 00:00:00 GMT;"]
    set static::cookie_cadata [format "cadata=null; path=/; Expires=Thurs, 01-Jan-1970 00:00:00 GMT;"]
}



when ACCESS_ACL_ALLOWED {
        set apm_mrhsession [HTTP::cookie value "MRHSession"]
        if { [table lookup $apm_mrhsession] == "EXCHANGE_LOGOUT" && [ACCESS::session exists]} {
           ACCESS::session remove
           table delete $apm_mrhsession
           log local0. "$apm_mrhsession: Session for [IP::client_addr] expired"
        }
}





when ACCESS_SESSION_STARTED {
    set landing_uri [ACCESS::session data get "session.server.landinguri"]
    log local0. "LANDING_URI: $landing_uri"
}



when HTTP_REQUEST {
  set user_inactive 0
  log local0. "URI: [HTTP::uri]"
  if { [string tolower [HTTP::uri]] starts_with "/owa/" } {
    if { [string tolower [HTTP::uri]] contains "/auth/logoff.aspx" } {
      HTTP::redirect "https://[HTTP::host]/vdesk/hangup.php3"
    }

    set mrhsession [HTTP::cookie value "MRHSession"]
    if {  ($mrhsession != "" && ![ACCESS::session exists]) || $mrhsession == "" } {
      if { [string tolower [HTTP::uri]] != "/owa/"  && [string tolower [HTTP::uri]] != "/owa/" } {
        HTTP::respond 440 content "WE CAN PUT CONTENT HERE TO TELL THE USER THAT THERE SESSION IS NO LONGER ACTIVE" "Set-Cookie" $static::cookie_sessionid "Set-Cookie" $static::cookie_cadata
      } elseif { ([string tolower [HTTP::uri]] == "/owa/"  || [string tolower [HTTP::uri]] == "/owa/" ) && $mrhsession != "" } {
         HTTP::redirect "https://[HTTP::host]/vdesk/hangup.php3"
      }
    } else {
      if { [HTTP::header exists "X-UserActivity"] && [HTTP::header "X-UserActivity"] == 0 } {
        set user_inactive 1
      }
    }
  }
}

when HTTP_RESPONSE {
   if { $user_inactive && [HTTP::status] == 440 } {
        table set $mrhsession "EXCHANGE_LOGOUT"
   }
}