APM Sharepoint authentication

Hi Kai,

the use of

[ACCESS::user getsid $user_key]

this is based on a user key from username and password. if you think it is insecure, we can set a the variable session.max_session_timeout to 1 hour. it will force a new authentication every hour if the user changed his password or if the account is locked. this can be seamless as the authentication header is inserted in every request.

The main reason I filter on MRHSession_SP cookie only for non browser is to secure persistent cookie usage.

When managing persistent cookie for non browser, it will allow only non-browser to recover session cookie from sharepoint cookie. when user close the browser without logout, next user on a shared computer can access previous user session if persistent cookie is not expired.

if you manage the MRHSession_SP cookie for all user agents, the user will be allowed to close the browser, open again and access to sharepoint.

another reason I put ACCESS::session command only for clientless and OFBA clients is to solve performance issues.

ACCESS::session may be used carefully because it generate a pause in execution of irule waiting all other TMM answer about this session. executing this for every requests may cause latency. that's why I filtered first on user-agent, then on session status.

I understand that in my irule, there are static objects I can remove and fix OFBA urls and persist cookie name.

I agree your switch command to filter user-agents is more optimized (with frontage filter version), but I will keep irule architecture to stay generic for every client type.

I will update my irule soon with good points I found in yours.