APM sso cookie caching issue

Snl · ‎08-Aug-2019

Folks

need some help , i have VS were using APM SSO for my jboss web application which working fine with kerberous SSO , the problem is this web doesnt hve logout option , user will close the browser directly , but next time same user open in the same url in the browser APM redirecting to ADFS SSO and getting 302 redirect with CORS error

i want to get rid of previously used MHRsesion cookie so that every time browser come with new request (after closed the page and open the url again)were APM assign new cookie for SSO session , when i try chrome incognito its working fine since it doesnt store any cache or APM cookie

can below irule help

#fire irule before main SSO irule to remove last browser used apm session cookie for previous session

when HTTP_REQUEST priority 80 {

if { ([HTTP::uri] == "/") && [HTTP::cookie exists MRHSession ] && [ACCESS::session exists [HTTP::cookie value MRHSession]] }{

HTTP::cookie remove MRHSession }{

HTTP::redirect "https://log.abc.com[HTTP::uri]"

}

any help appreciated

Snl · ‎08-Aug-2019

or just remove the session cookie

when HTTP_REQUEST priority 80 {

if { ([HTTP::uri] == "/") && [HTTP::cookie exists MRHSession ] && [ACCESS::session exists [HTTP::cookie value MRHSession]] }{

HTTP::cookie remove MRHSession }{

}

Snl · ‎11-Aug-2019

can any one assit

Sajid · ‎11-Aug-2019

HTTP::cookie remove MRHSession

ACCESS::session remove

https://clouddocs.f5.com/api/irules/ACCESS__session.html

for reference

when HTTP_REQUEST {

if {[HTTP::path] contains "/public" } {

HTTP::cookie remove "LastMRH_Session"

HTTP::cookie remove "MRHSession"

}

for reference

when HTTP_REQUEST {

if { ([HTTP::uri] == "/") && [HTTP::cookie exists MRHSession ] && [ACCESS::session exists [HTTP::cookie value MRHSession]] }{

HTTP::redirect "https://[HTTP::host]/vdesk/webtop.eui?webtop=/Common/dfw_vpn_webtop&webtop_type=webtop_full"

} elseif { [HTTP::cookie exists MRHSession] } {

HTTP::cookie remove MRHSession

}

************************************

Snl · ‎12-Aug-2019

Hi Sajid

I have seen this irules earlier , my concern is what is the best way to avoid using existing APM session cookie , i am not concern for SSO , user needs re authenticate every time if they close the browser

so what is the best way forward here

boneyard · ‎13-Aug-2019

not quite sure what you are looking for now.

the best way to avoid using existing APM session cookies is to not send them from the browser. but if they still exist you have to get them deleted. does iRules can that do that.

what more are you looking for now?

Snl · ‎13-Aug-2019

Hi Boneyard

does below irule will work ?

#fire irule before main SSO irule to remove last browser used apm session cookie for previous session
 
 
 
when HTTP_REQUEST priority 80 {
 
 if { ([HTTP::uri] == "/") && [HTTP::cookie exists MRHSession ] && [ACCESS::session exists [HTTP::cookie value MRHSession]] }{
 
 HTTP::cookie remove MRHSession }{
 
HTTP::redirect "https://log.abc.com[HTTP::uri]"
 
 }
 
}

boneyard · ‎18-Aug-2019

on first glance it seems it will. but the best way to find out is to try, in a test setup would be best.

Snl · ‎19-Aug-2019

Thanks Boneyard, will test n let n know

Sajid · ‎12-Aug-2019

K15387: Overview of BIG-IP APM session cookies

https://api-u.f5.com/support/kb-articles/K15387?pdf

DevCentral

APM sso cookie caching issue

Sep 26th, 2023
MFA required on DevCentral

DevCentral

APM sso cookie caching issue

Sep 26th, 2023MFA required on DevCentral

Sep 26th, 2023
MFA required on DevCentral