on 01-Jun-2016 17:27
Problem this snippet solves:
ADFS deliver persistent cookies that allow the user to connect to Sharepoint using WS-Fed. By default, the lifetime is about 12 hours and for security reason, should be changed to a lower value. This irule provide a 12 hours validity for the cookie but add a shorter timeout for inactivity.
How to use this snippet:
This irule change the default expiration time of the FedAuth cookie to a lower value. The expiration time is reset every time a user make a request until it reach the max expiration time. After the timeout or the max expiration time has been reached, the user is redirected back to the ADFS for authentication.
Github : https://github.com/e-XpertSolutions/f5
Code :
when RULE_INIT { set static::timeout 900 set static::httponly 1 set static::debug 0 set static::irule_name "irule-test-sliding-session" } when HTTP_REQUEST { if { $static::debug } { set event "HTTP_REQUEST" } set hostname [string tolower [HTTP::host]] switch -glob $hostname { "sharepoint1" - "sharepoint2" { set key "" set valid 1 if { [HTTP::cookie exists FedAuth] } { set key [sha1 "$hostname:[HTTP::cookie FedAuth]"] if { [table lookup $key] == "" } { if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: no valid sliding session key found for [IP::client_addr] with session FedAuth:[string range [HTTP::cookie FedAuth] 0 7] on $hostname - Action: redirect user to logout uri" } HTTP::redirect "https://[HTTP::host]/_trust/default.aspx?wa=wsignoutcleanup1.0" } else { if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: a valid key has been found for [IP::client_addr] with session FedAuth:[string range [HTTP::cookie FedAuth] 0 7] on $hostname" } } } } default { set valid 0 } } } when HTTP_RESPONSE { if { $static::debug } { set event "HTTP_RESPONSE" } if {[HTTP::cookie exists FedAuth] and $valid } { if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: set-cookie header found with FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) for [IP::client_addr]" } set key [sha1 "$hostname:[HTTP::cookie FedAuth]"] if { [table lookup $key] != "" } { if { [table lifetime -remaining $key] >= $static::timeout } { table timeout $key $static::timeout HTTP::cookie expires FedAuth $static::timeout relative if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) valid for [table lifetime -remaining $key] seconds - Action : cookie expiration set to 300 seconds" } } else { HTTP::cookie expires FedAuth [table lifetime -remaining $key] relative if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) valid for [table lifetime -remaining $key] seconds - Action : cookie expiration set to remaining lifetime" } } } else { table add $key [HTTP::cookie FedAuth] $static::timeout [HTTP::cookie expires FedAuth] if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) valid for [table lifetime -remaining $key] seconds - Action : Add cookie to the sliding session table for [HTTP::cookie expires FedAuth] seconds" } #HTTP::cookie expires FedAuth $static::timeout relative if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) valid for [table lifetime -remaining $key] seconds - Action : set cookie to expires within 300 seconds" } } } elseif { $key != "" } { if { [table lookup $key] != "" } { if { [table lifetime -remaining $key] >= $static::timeout } { table timeout $key $static::timeout if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) valid for [table lifetime -remaining $key] seconds - Action : insert FedAuth session cookie with 300 seconds expiration time" } HTTP::cookie insert name FedAuth value [table lookup $key] path / HTTP::cookie expires FedAuth $static::timeout relative HTTP::cookie secure FedAuth enable if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) valid for [table lifetime -remaining $key] seconds - Action : insert FedAuth session cookie with 300 seconds expiration time" } } else { HTTP::cookie insert name FedAuth value [table lookup $key] path / HTTP::cookie expires FedAuth [table lifetime -remaining $key] relative HTTP::cookie secure FedAuth enable if { $static::debug } { log local0. "$static::irule_name - [string map -nocase {"/common/" ""} [virtual name]]: FedAuth cookie ([string range [HTTP::cookie FedAuth] 0 7]) valid for [table lifetime -remaining $key] seconds - Action : insert FedAuth session cookie" } } # # insert httponly flag to FedAuth Cookie # if { $static::httponly } { set value [HTTP::cookie value FedAuth] set testvalue [string tolower $value] set valuelen [string length $value] switch -glob $testvalue { "*;httponly*" - "*; httponly*" { } default { set value "$value; HttpOnly"; } } if { [string length $value] > $valuelen} { HTTP::cookie value FedAuth "${value}" } } } } }
Tested this on version:
11.5