Forum Discussion
Bernard_9290
Jul 12, 2011Nimbostratus
SSL::session invalidate issue
BIG-IP version:10.2.0 HF1
We have a virtual server with a client SSL profile configured for mutual authentication and we would like to invalidate the SSL session when the user logs out from the associated application by using an iRule.
To do that, we execute "SSL::session invalidate" in the http_request event when matching the logout URI (/f5logout).
The session is successfully invalidated only if the "SSL::session invalidate" command is not followed by a redirection or "http::respond".
Otherwise, the session remains active. It means that the user doesn't have to renegotiate a SSL session (provides the password protecting the private key) if he wants to logs in again in the application.
Any idea if there is restriction in the "SSL::session invalidate" command usage?
The iRule...
when HTTP_REQUEST {
switch [HTTP::uri] {
"/f5logout" {
drops the session from the session cache to prevent reuse of the session
SSL::session invalidate
HTTP::redirect "http://domain2"
return
}
}
insert specific X509 information in header
HTTP::header insert "DN" [X509::subject [SSL::cert 0]]
insert the entire client certificate in header
HTTP::header replace SSLClientCert [b64encode [SSL::cert 0]]
}
Bernard
- hooleylistCirrostratusHi Bernard,
- Bernard_9290NimbostratusHi Aaron,
- hooleylistCirrostratusHi Bernard,
HTTP::respond 302 Location $location Connection Close Cache-Control No-Cache Pragma No-Cache session delete ssl [SSL::sessionid] SSL::session invalidate
- Bernard_9290NimbostratusHi Aaron,
- hooleylistCirrostratusHi Bernard,
- Bernard_9290NimbostratusHi Aaron,
- hooleylistCirrostratusThat's interesting. If that's the case it seems like a bug. Please reply back with what you find out from Support.
- hooleylistCirrostratusIt looks like this was tracked in the following bug:
just to point to the offical info on this issue: http://support.f5.com/kb/en-us/solutions/public/13000/900/sol13955.html
so from 10.2.4 HF4 it shouldn't be an issue anymore.
Recent Discussions
Related Content
Â
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects