For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

BIG-IP APM: Max Sessions Per User – Enable users to terminate a specified session

Technical Challenge Recently I was speaking with a customer and they mentioned that they leveraged the “Max Sessions Per User” setting within BIG-IP APM Access Profile to limit the number ...
Published Dec 22, 2015
Version 1.0
access
application delivery
BIG-IP Access Policy Manager (APM)
AN's avatar
AN
Icon for Nimbostratus rankNimbostratus
Apr 10, 2017

Is there a way to restrict APM session per user per URI in HTTP_REQUEST? I want to restrict APM to run very first time it find URI /abc/session.svc since that service being called couple of times in communication but only first URI call has username and password. Currently it fails because when it runs seconds time it doesn't get password in URI /abc/session.svc. following iRULE: 

when HTTP_REQUEST {
    switch [HTTP::method]
    {
        "COPY" -
        "MOVE"
        {
             Replace Destination header with http if using SSL Offloading
            if { [HTTP::header Destination] starts_with "https" }
            {
                HTTP::header replace Destination [string map -nocase {https http} [HTTP::header value Destination]]
            }

            HTTP::disable
        }
        "MKCOL" -
        "PROPPATCH"
        {
            HTTP::disable
        }
    }
    if { ( [HTTP::uri] contains "/abc/session.svc")}
        {
        ACCESS::enable
        HTTP::header insert "clientless-mode" 1
        set apmsessionid [HTTP::cookie value MRHSession] 
            if  { [HTTP::cookie exists "MRHSession"]} {set apmstatus [ACCESS::session exists -state_allow $apmsessionid]} else {set apmstatus 0}
                if {!($apmstatus)} 
                {
                 Insert Clientless-mode header to start APM in clientless mode
                if { [catch {HTTP::header insert "clientless-mode" 1} ] } {log local0. "[IP::client_addr]:[TCP::client_port] : TCL error on HTTP header insert clientless-mode : URL : [HTTP::host][HTTP::path] - Headers : [HTTP::request]"}
                }
                if {([HTTP::method] eq "POST") }
                    {
                    set clength 0
                        if {[HTTP::header exists "Content-Length"] && [HTTP::header Content-Length] <= 1048576}
                        {
                        set clength [HTTP::header Content-Length]
                        } else { set clength 1048576 }
                        if { [info exists clength] && $clength > 0} { HTTP::collect $clength }
                    }
         } else { ACCESS::disable}

}

when HTTP_REQUEST_DATA {
    Parse XML Data
    set xmluserdata [findstr [HTTP::payload] "" 10 ""]
    set xmluser [findstr $xmluserdata ">" 1 ""]
    set xmlpw [findstr $xmluserdata "" 10 end]
}

when ACCESS_SESSION_STARTED {
    Variables from HTTP REQUEST Data (XML Parsing)
    if {([info exists "xmluser"])} { ACCESS::session data set session.logon.last.username $xmluser; ACCESS::session data set session.logon.last.userid $xmluserdata;  }
    if {([info exists "xmlpw"])} { ACCESS::session data set session.logon.last.password $xmlpw; }
    if {([info exists "xmluserdata"])} { ACCESS::session data set session.logon.last.useridpass $xmlpw; }
}


when ACCESS_ACL_ALLOWED {
    set user [ACCESS::session data get session.logon.last.username]
    HTTP::header insert "login" $user
    HTTP::header remove "Authorization"
}