Hi Massimo,
in addition to the solution explained by Woytaz and Yoann, you could also deploy an iRule to implement SLO (Single-Log-Off) for your applications.
Using an iRule is the most flexible approach and will be your last chance if:
- You can't change the Logoff buttons of the individual Web-Applications
- The Logoff action is triggered by using query-string parameters (e.g.
?logoff=true
). - You want to delete some backend session cookies in addition to the APM session cookies.
The required iRule will basically inspect incomming web requests and searches for configured logoff signatures. Once a logoff signature is identified, it will perform a HTTP redirect to APM logoff page where the APM user session will be destroyed.
when HTTP_REQUEST {
switch -glob -- [HTTP::uri] {
"*/somefile.ext?logoff=true" {
HTTP::respond 307 content "Document MovedObject MovedThis document may be found " \
noserver \
"Content-Type" "text/html" \
"Location" "/vdesk/hangup.php3"
}
"?killsession=true" {
HTTP::respond 307 content "Document MovedObject MovedThis document may be found " \
noserver \
"Content-Type" "text/html" \
"Location" "/vdesk/hangup.php3"
}
}
}
Note: You have stated that you use Kerberos authentication for your backend application. In many cases the Kerberos authentication will be used just to retrieve a session cookie for further website access. If security is a concern you may want to clear those cookies during the redirect to APMs logoff page by adding a Set-Cookie
parameter and value to the HTTP::redirect
command.
...
"Content-Type" "text/html" \
"Set-Cookie" "AppAuthCookie=; expires=Thu, 01 Jan 1970 00:00:00 GMT;Path=/;Secure;HttpOnly" \
"Location" "/vdesk/hangup.php3"
...
Note: For some customers I've implemented a APM-session based Cookie-Proxy which intercepts session cookies send by the backend application, stores them into the users APM session and injects them back on server side request, so that the browser does not need to store those sensitive cookies. Let me know if this sounds interesting for you...
Cheers, Kai