iRule to clear session when traversing to new APM Profile

Question

I have a request to add a "reset password" link on the logon page of our primary APM profile portal.  I would like to have a link to a separate virtual server tied to a new APM profile which does not require a login and instead would walk users through an APM decision tree depending on their account type (employee vs. contractor) ultimately sending them to the appropriate 3rd party password reset location.&nbsp;
I have struggled to purge the primary APM profile logon page session cookie using an iRule as it seems to persist even when running the commands below: &nbsp;
HTTP::cookie remove MRHSession &nbsp;
ACCESS::session remove&nbsp;
Any help would be appreciated.&nbsp;
Thank you&nbsp;
Please be gentle I'm new to this.&nbsp;

yann_desmarest_ · Answer

Hi,
You need to set a special value for MRHSession and LastMRH_Session cookies in the response to the client. For example, you can respond like in my example below : 
HTTP::respond 302 noserver "Location" "/logout" "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Set-Cookie "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" Set-Cookie "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/"
The domain value in the cookie depends on how the cookie was set the first time. If it's not provided during authentication, you should remove "domain=[HTTP::host]" in the command.
You can also wait for the backend response and reset the cookie values :
HTTP::cookie insert name  value  [path ] [domain ] [version &lt;0 | 1 | 2&gt;]
practical example : 
HTTP::cookie remove MRHSession
HTTP::cookie remove LastMRH_Session
HTTP::cookie insert name MRHSession value "expired"
HTTP::cookie insert name LastMRH_Session value "expired"
HTTP::cookie expires MRHSession 0 absolute
HTTP::cookie expires LastMRH_Session 0 absolute

yann_desmarest · Answer

Hi,
You need to set a special value for MRHSession and LastMRH_Session cookies in the response to the client. For example, you can respond like in my example below : 
HTTP::respond 302 noserver "Location" "/logout" "Content-Type" "text/html" "Cache-Control" "no-cache, must-revalidate" Set-Cookie "MRHSession=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/" Set-Cookie "LastMRH_Session=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;domain=[HTTP::host];path=/"
The domain value in the cookie depends on how the cookie was set the first time. If it's not provided during authentication, you should remove "domain=[HTTP::host]" in the command.
You can also wait for the backend response and reset the cookie values :
HTTP::cookie insert name  value  [path ] [domain ] [version &lt;0 | 1 | 2&gt;]
practical example : 
HTTP::cookie remove MRHSession
HTTP::cookie remove LastMRH_Session
HTTP::cookie insert name MRHSession value "expired"
HTTP::cookie insert name LastMRH_Session value "expired"
HTTP::cookie expires MRHSession 0 absolute
HTTP::cookie expires LastMRH_Session 0 absolute

walter_kacynski · Answer

I might suggest that you try to set the domain cookie on the new access profile to the "host" of this new virtual server. This will limit the scope of the session to only this virtual. Depending on cookie usage from our first domain, this would eliminate the cookie collision on the client browser as it would be more specific than the root domain scope.

s_martin_253133 · Answer

Appreciate the advice.  I have attempted to insert the example lines into a HTTP_REQUEST part of an iRule on the target APM and am still seeing the original MRHSession/LastMRH_Session cookies persist captured by fiddler and shown below:

LastMRH_Session=2a94e345 &lt;-This "original" APM cookie will persist until I close the browser
MRHSession=1674a7dc5d9cfea7897058ae2a94e345 &lt;-This "original" APM cookie will persist until I close the browser
LastMRH_Session=4860c635 &lt;-These target APM cookie will change each time I reload the page which is desired
MRHSession=4e66de30c150cdb553c1cced4860c635 &lt;-These target APM cookie will change each time I reload the page which is desired

The domain cookie on the original APM is "xxxxx.com" and the target APM is "passwordreset.xxxxx.com"

Any other thoughts?

Thanks

s_martin_253133 · Answer

Appreciate the advice.  I have attempted to insert the example lines into a HTTP_REQUEST part of an iRule on the target APM and am still seeing the original MRHSession/LastMRH_Session cookies persist captured by fiddler and shown below:

LastMRH_Session=2a94e345 &lt;-This "original" APM cookie will persist until I close the browser
MRHSession=1674a7dc5d9cfea7897058ae2a94e345 &lt;-This "original" APM cookie will persist until I close the browser
LastMRH_Session=4860c635 &lt;-These target APM cookie will change each time I reload the page which is desired
MRHSession=4e66de30c150cdb553c1cced4860c635 &lt;-These target APM cookie will change each time I reload the page which is desired

The domain cookie on the original APM is "xxxxx.com" and the target APM is "passwordreset.xxxxx.com"

Any other thoughts?

Thanks

Forum Discussion

iRule to clear session when traversing to new APM Profile

9 Replies

Recent Discussions

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

Related Content

Citrix XenMobile Server– Path Traversal

Path Traversal Detection

SSL Profiles

How to ensure source address and source port are accepted and traversed properly via F5 SNAT automap

Server Profile SNI