Forum Discussion
CirrostratusSAP cookie not released after Logout
Hello ,
we have a situation where when the user logs out of the portal by clicking on the "logout button" and logs out , another user login to the portal using the same browser instance gets signed in using the previous user's information even though the new user logged in using their own credentials.
We have an irule setup that when the logout URI is detected a redirect is sent to the /hangup page and the F5 deletes the session. However, within the SAP portal the session is still active and We think this is what is allowing a user to login and land on a session of a previous user.
Is there a way to clear all session cookies when the /logout URI is seen and then issue a redirect to the hangup page so that the APM can kill the session.
Any help will be appreciated.
thanks,
karthik
Hi Karthik,
Please find below an example,
when HTTP_REQUEST { set apm_cookie [HTTP::cookie MRHSession] if { ([ACCESS::session exists -sid $apm_cookie]) } { set uri [ACCESS::session data get session.server.landinguri] ACCESS::session remove HTTP::respond 302 noserver "Location" "$uri" "Cache-Control" "no-cache, must-revalidate" Set-Cookie "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" Set-Cookie "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" } }You should specify "domain=[HTTP::host]" if you set your the hostname in the Domain SSO settings on your access profile.
You can also set the uri you want to redirect the user to after logout.
Alternatively, you can answer with a custom logout response instead of 302 redirect :
HTTP::respond 200 content [ifile get hangup.html] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Set-Cookie "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" Set-Cookie "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/"and of course you can force another cookie deletion like for MYSAPSSO2 for example :
Set-Cookie "MYSAPSSO2=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/"Hope this help you.
10 Replies
Yann_Desmarest_Nacreous
Hello,
If the logout uri in the access profile match the logout uri of the app, the logout should occurs on both systems.
Another way is to configure the app to redirect users to /vdesk/hangup.php3 when they logout from the app.
I have also defined my own irule that delete MRS_Session, LastMRH_Session and for example a jsessionid cookies on the browser side. In the same time, the irule issue an ACCESS::remove command to kill the APM session. To delete cookies, you insert cookie in the response with an expiration date at 1 jan 1970.
Karthik_Krishn1Hi Yann, Would you be able to share the irule with me please. thanks, karthik
Yann_DesmarestCirrus
Hello,
If the logout uri in the access profile match the logout uri of the app, the logout should occurs on both systems.
Another way is to configure the app to redirect users to /vdesk/hangup.php3 when they logout from the app.
I have also defined my own irule that delete MRS_Session, LastMRH_Session and for example a jsessionid cookies on the browser side. In the same time, the irule issue an ACCESS::remove command to kill the APM session. To delete cookies, you insert cookie in the response with an expiration date at 1 jan 1970.
- Karthik_Krishn1Hi Yann, Would you be able to share the irule with me please. thanks, karthik
- Yann_Desmarest_
Hi Karthik,
Please find below an example,
when HTTP_REQUEST { set apm_cookie [HTTP::cookie MRHSession] if { ([ACCESS::session exists -sid $apm_cookie]) } { set uri [ACCESS::session data get session.server.landinguri] ACCESS::session remove HTTP::respond 302 noserver "Location" "$uri" "Cache-Control" "no-cache, must-revalidate" Set-Cookie "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" Set-Cookie "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" } }You should specify "domain=[HTTP::host]" if you set your the hostname in the Domain SSO settings on your access profile.
You can also set the uri you want to redirect the user to after logout.
Alternatively, you can answer with a custom logout response instead of 302 redirect :
HTTP::respond 200 content [ifile get hangup.html] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Set-Cookie "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" Set-Cookie "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/"and of course you can force another cookie deletion like for MYSAPSSO2 for example :
Set-Cookie "MYSAPSSO2=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/"Hope this help you.
- Karthik_Krishn1Thanks for the code. We actually fixed the issue in a slightly different manner. When the user clicks on the Logout button, our SAP application closes the sessions, in validates the cookie and issues a redirect to /irj/portal and the refererr is the "portalname.domain.com" . So what we did is as below. We essentially introduced a delay before the hangup was initiated when HTTP_REQUEST { if { [string tolower [HTTP::uri]] equals "/irj/portal" and [string tolower [HTTP::header "Referer"]] equals "https://portal.domain.com/irj/portal" } { HTTP::respond 302 noserver Location https://[HTTP::header host]/vdesk/hangup.php3
- Karthik_Krishn1when HTTP_REQUEST { if { [string tolower [HTTP::uri]] equals "/irj/portal" and [string tolower [HTTP::header "Referer"]] equals "https://portal.domain.com/irj/portal" } { HTTP::respond 302 noserver Location https://[HTTP::header host]/vdesk/hangup.php3
- Yann_Desmarest
Hi Karthik,
Please find below an example,
when HTTP_REQUEST { set apm_cookie [HTTP::cookie MRHSession] if { ([ACCESS::session exists -sid $apm_cookie]) } { set uri [ACCESS::session data get session.server.landinguri] ACCESS::session remove HTTP::respond 302 noserver "Location" "$uri" "Cache-Control" "no-cache, must-revalidate" Set-Cookie "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" Set-Cookie "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" } }You should specify "domain=[HTTP::host]" if you set your the hostname in the Domain SSO settings on your access profile.
You can also set the uri you want to redirect the user to after logout.
Alternatively, you can answer with a custom logout response instead of 302 redirect :
HTTP::respond 200 content [ifile get hangup.html] noserver "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Set-Cookie "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" Set-Cookie "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/"and of course you can force another cookie deletion like for MYSAPSSO2 for example :
Set-Cookie "MYSAPSSO2=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/"Hope this help you.
- Karthik_Krishn1Thanks for the code. We actually fixed the issue in a slightly different manner. When the user clicks on the Logout button, our SAP application closes the sessions, in validates the cookie and issues a redirect to /irj/portal and the refererr is the "portalname.domain.com" . So what we did is as below. We essentially introduced a delay before the hangup was initiated when HTTP_REQUEST { if { [string tolower [HTTP::uri]] equals "/irj/portal" and [string tolower [HTTP::header "Referer"]] equals "https://portal.domain.com/irj/portal" } { HTTP::respond 302 noserver Location https://[HTTP::header host]/vdesk/hangup.php3
- Karthik_Krishn1when HTTP_REQUEST { if { [string tolower [HTTP::uri]] equals "/irj/portal" and [string tolower [HTTP::header "Referer"]] equals "https://portal.domain.com/irj/portal" } { HTTP::respond 302 noserver Location https://[HTTP::header host]/vdesk/hangup.php3
