For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ffive_154017's avatar
ffive_154017
Icon for Nimbostratus rankNimbostratus
May 14, 2014

session timeout handling

We have a filer which does application level redirection based on httpSession object. We have recently added bigIp to the stack. Prior to load balancer configuration we were getting the httpSession object as null when the application times out. Post load balancer we are getting a not null httpSession object. Hence there is no way to distingush between first time login and redirec to login page on session redirect. Is it possible to force the load balancer to return a null httpSession object when the web applcation times out?

 

BIG-IP Access Policy Manager (APM)
BIG-IP DNS
management
security

2 Replies

  • ffive_154017's avatar
    ffive_154017
    Icon for Nimbostratus rankNimbostratus
    May 15, 2014
    Is it possible to create an iRule which will purge the session (return null session object) returned to the application server on session timeout OR add a header message by which the application can distinguish the session time out at the code level?
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    May 16, 2014

    Is the "httpSession" object you're referring to a cookie set by the application? In a pure protocol sense, HTTP is stateless, so any "session" between a client and server would have to be maintained by some persistent object that the client sent back in each request (a cookie, a URI pattern, a header, etc.). In that case, what happens when the application session times out, that doesn't happen when it's behind the load balancer? Are you using any iRules? Have any specific or unusual configuration on the load balancer virtual server?