Forum Discussion

jonathan_239725's avatar
jonathan_239725
Icon for Nimbostratus rankNimbostratus
Dec 02, 2016

APM inactivity timeout redirect or notification page for LTM + APM connections

Background on this:

Have a customer that is publishing a Microsoft CRM instance behind APM and doing KCD with smart card auth. Access policy works fine, KCD works fine, web app works fine. The only problem we have is the inactivity timeout setting. Once the limit has been reached, the session is removed and content is no longer sent to the user in a very abrupt fashion. This is a problem because ALOT of the page is cached on the clients workstation and all they see is broken JPEGs and incomplete web content. Once they click around they are re authenticated but it is not pretty. I want to find a way to notify the user they have been inactive for a certain amount of time, send a HTTP 200 response with content notifying them with a link to click on to re authenticate. The option of increasing the inactive timeout is not an option due to their access session license limit. There would be alot of abandoned sessions that would aggregate potentially going over this limit.

I know with webtop and ssl vpn, you get a notification that you are about to be logged out due to inactivity but this doesn't seem to be available for LTM + APM policies.

This is what I have so far, there has to be a more efficient way of doing this though.

when ACCESS_SESSION_STARTED {

set ::EXPIRE "false"

}

when ACCESS_SESSION_CLOSED {

log local0. "Session has been closed"     
set ::EXPIRE "true"

}

when HTTP_RESPONSE {

if {$::EXPIRE equals "true"} {

        HTTP::respond 200 content "
        You've Been Logged out due to inactivity
        You have been logged out due to inactivity 
         Thanks for Using the application 
        Click  to log back in.
        "

}

}

  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account

    APM already basically does this by redirecting to the hangup page when a session is invalid, if you look closely at the HTTP transactions using httpwatch, httpfox, chrome dev tools, firefox dev tools, fiddler, or a packet capture you can see how it works.

    A few notes about it:

    1. ACCESS_SESSION_CLOSED isn't tied to a flow, because the session closes asynchronously to network activity, so you can't call any commands that set variables or make any network flows themselves. Basically the only useful thing you can do here is log.

    2. You'll have to figure out how you'd like this to work in your environment. APM and/or BIG-IP can basically do anything you want, but you'll have to think in terms of HTTP transactions. A web developer or the application vendor should be able to assist you to determine the best way to handle timeouts for your app. Some web apps are "single page" style like OWA, and some web apps are multiple pages. Most are a mixture.

    3. If you want to detect if a session is valid, use something like this where you check for the cookie first in http request, then check the APM session state (I didn't check this so make sure it works for you):

    when HTTP_REQUEST {
      if { [HTTP::cookie exists "MRHSession"] } {
         user gave us a cookie, continue
      } else {
         user didn't give us any cookie, stop and let APM do its thing
        return
      }
      
      if { [ACCESS::session exists -state_allow] } {
         user does not have valid session.
      } else {
         user did give us a cookie but session does not exist in allow state
         do the expire stuff here
      }
    }
    
    • jspiglerj2rsolves's avatar
      jspiglerj2rsolves
      Icon for Nimbostratus rankNimbostratus

      Thanks Lucas. This makes sense. I'll give this a whirl in my lab and see if this gives me the results I'm looking for.

       

      Thanks again

       

    • srir's avatar
      srir
      Icon for Nimbostratus rankNimbostratus

      Experts, 

      APM - session inactivity - 15mins

      Upon reaching 15mins, browser displaying default F5 page - vdesk/hangup.php3

      *expectation - upon reaching 15mins, it should redirect to IDP login page

       

      It appears, I have to fine tune below to achieve IDP login page, any pointers / sugesstions on this Irule logic,

      inputs appreciated.

       

      when HTTP_REQUEST {

          if { ( [HTTP::cookie exists MRHSession] ) and not ( [ACCESS::session exists -state_allow [HTTP::cookie value MRHSession]] ) } {

               if { ( [HTTP::uri] ne [ACCESS::session data get session.server.landinguri] ) and not ( [ACCESS::session data get session.server.landinguri] eq "" ) } {

                  ACCESS::session remove

                  HTTP::redirect [HTTP::uri]

                  TCP::close

               }

          }

      }