Sliding session for "FedAuth" Persistent cookie delivered by ADFS

Yann_Desmarest · ‎01-Jun-2016

Problem this snippet solves:

ADFS deliver persistent cookies that allow the user to connect to Sharepoint using WS-Fed. By default, the lifetime is about 12 hours and for security reason, should be changed to a lower value. This irule provide a 12 hours validity for the cookie but add a shorter timeout for inactivity.

How to use this snippet:

This irule change the default expiration time of the FedAuth cookie to a lower value. The expiration time is reset every time a user make a request until it reach the max expiration time. After the timeout or the max expiration time has been reached, the user is redirected back to the ADFS for authentication.

External links

Github : https://github.com/e-XpertSolutions/f5

Code :

when RULE_INIT {
set static::timeout 900
set static::httponly 1
set static::debug 0
set static::irule_name "irule-test-sliding-session"
}

when HTTP_REQUEST {
if { $static::debug } { set event "HTTP_REQUEST" }
set hostname [string tolower [HTTP::host]]
switch -glob $hostname {
"sharepoint1" - 
"sharepoint2" {
set key ""
set valid 1
if { [HTTP::cookie exists FedAuth] } {
set key [sha1 "$hostname:[HTTP::cookie FedAuth]"]
if { [table lookup $key] == "" } {
if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: no valid sliding session key found for [IP::client_addr] with session FedAuth:[string range [HTTP::cookie FedAuth] 0 7] on $hostname - Action: redirect user to logout uri" }

HTTP::redirect "https://[HTTP::host]/_trust/default.aspx?wa=wsignoutcleanup1.0"
} else {
if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: a valid key has been found for [IP::client_addr] with session FedAuth:[string range [HTTP::cookie FedAuth] 0 7] on $hostname" }
}
}
}
default { set valid 0 }
}
}

when HTTP_RESPONSE {
if { $static::debug } { set event "HTTP_RESPONSE" }
if {[HTTP::cookie exists FedAuth] and $valid } {

if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: set-cookie header found with FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) for [IP::client_addr]" }

set key [sha1 "$hostname:[HTTP::cookie FedAuth]"]

if { [table lookup $key] != "" } {
if { [table lifetime -remaining $key] >= $static::timeout } {

table timeout $key $static::timeout
HTTP::cookie expires FedAuth $static::timeout relative

if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) valid for [table lifetime -remaining $key] seconds - Action : cookie expiration set to 300 seconds" }
} else {
HTTP::cookie expires FedAuth [table lifetime -remaining $key] relative

if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) valid for [table lifetime -remaining $key] seconds - Action : cookie expiration set to remaining lifetime" }
}
} else {
table add $key [HTTP::cookie FedAuth] $static::timeout [HTTP::cookie expires FedAuth]

if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) valid for [table lifetime -remaining $key] seconds - Action : Add cookie to the sliding session table for [HTTP::cookie expires FedAuth] seconds" }

#HTTP::cookie expires FedAuth $static::timeout relative

if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) valid for [table lifetime -remaining $key] seconds - Action : set cookie to expires within 300 seconds" }
}
} elseif { $key != "" } {
if { [table lookup $key] != "" } {
if { [table lifetime -remaining $key] >= $static::timeout } {

table timeout $key $static::timeout

if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) valid for [table lifetime -remaining $key] seconds - Action : insert FedAuth session cookie with 300 seconds expiration time" }

HTTP::cookie insert name FedAuth value [table lookup $key] path /
HTTP::cookie expires FedAuth $static::timeout relative
HTTP::cookie secure FedAuth enable

if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) valid for [table lifetime -remaining $key] seconds - Action : insert FedAuth session cookie with 300 seconds expiration time" }

} else {
HTTP::cookie insert name FedAuth value [table lookup $key] path /
HTTP::cookie expires FedAuth [table lifetime -remaining $key] relative
HTTP::cookie secure FedAuth enable

if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) valid for [table lifetime -remaining $key] seconds - Action : insert FedAuth session cookie" }
}

#
# insert httponly flag to FedAuth Cookie
#

if { $static::httponly } {
set value [HTTP::cookie value FedAuth]
set testvalue [string tolower $value]
set valuelen [string length $value]
switch -glob $testvalue {
  "*;httponly*" -
  "*; httponly*" { }
  default { set value "$value; HttpOnly"; }
}
if { [string length $value] > $valuelen} {
  HTTP::cookie value FedAuth "${value}"
}
}
}
}
}

Tested this on version:

11.5

PSilva · ‎03-Jun-2016

As Jason noted on your others, if you add "programmability contest" as a tag, you'll be entered into our Codeshare Challenge contest we're running this month!

DevCentral

Sliding session for "FedAuth" Persistent cookie delivered by ADFS

External links