Forum Discussion

stanjavoor's avatar
stanjavoor
Icon for Nimbostratus rankNimbostratus
Oct 17, 2019

F5 APM Session Cookies Doesn't Clear after User Inactivity

F5 APM Session Cookie MRHSession doesn't clear from browser if a user is inactive for more than 49 minutes.

We are using a custom iRule to invoke logout uri which will clear APM session cookies (F5_ST, MRHSession) from browser when F5 intercepts the URI that is configured in APM profiles.

This scenario is working fine for the first 48 minutes, if a user tries to access any protected uri while being inactive more than 15 mins and have a MRHSession cookie, then the irule verifies if the user session is expired and calls the logout, which is clearing the cookies on the browser.

This scenario is working for first 48 minutes but from 49th minute, APM is setting a new MRHSession Cookie and in APM console i see a new N/A user to it.

 

I don't understand this odd behavior on why F5 is validating MRHSession Cookie for the first 48 minutes and why it doesn't do later, does F5 APM have any settings where it cannot create a new session after 49 minutes.

 

7 Replies

  • What is the Inactivity Timeout in the Access Policy set to? Is there a reason you are not using this instead of the iRule?

  • We have the setting enabled which is default 900 seconds but the iRule which we are using is to make a call to IDP to clear out the session on their end as well.

  • Thank you for looking into this, here you go Dave.

    when HTTP_REQUEST {
        set apm_cookie [HTTP::cookie value MRHSession]
        if { $apm_cookie != "" && ! [ACCESS::session exists $apm_cookie] }
            {
                ACCESS::session modify -sid $apm_cookie -timeout 1
                
                if { [ACCESS::session exists $apm_cookie] } {
                ACCESS::session remove -sid $apm_cookie
                }
                
                set close_url "test.idp.abc.com/login/signout"
    			set uri "/wps/unauth/home"
    			HTTP::respond 302 Location "https://$close_url?fromURI=https://[HTTP::host]$uri" "Cache-Control" "no-cache, must-revalidate" "Set-Cookie" "MRHSession=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\"" "Set-Cookie" "LastMRH_Session=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\"" "Set-Cookie" "F5_ST=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\""
            }
    }
  • In our APM configuration, /login/signout is configured for logout URI. When APM intercepts that call, it clears out the APM cookies form the configuration.

    Is there any way I can issue that in above iRule such that APM intercepts and clears session locally and the 302 will redirect the user back to our landing page for login.

  • No, I'm looking to invoke [HTTP::host]/login/signout so that APM can clear cookies.

    set close_url "test.idp.abc.com/login/signout"
    			set uri "/wps/unauth/home"
    			HTTP::respond 302 Location "https://$close_url?fromURI=https://[HTTP::host]$uri" "Cache-Control" "no-cache, must-revalidate" "Set-Cookie" "MRHSession=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\"" "Set-Cookie" "LastMRH_Session=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\"" "Set-Cookie" "F5_ST=deleted;path=/;secure;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\""
     
                       HTTP::respond 301 Location "https://[HTTP::host]/login/singout"

    Can I use multiple HTTP::respond in an iRule