Forum Discussion
kunjan_118660
Cumulonimbus
..in my scenario the MRHSession cookie is deleted. I only have the "LastMRH_Session" cookie, which has the shorter 8 character number.
Just curious what scenario are you having? If it's deleted wouldn't this considered as an invalid session?
AlgebraicMirror
May 05, 2015Altostratus
Yes, it would be considered an invalid session. Which causes the APM to start up a new session. But I don't want a new session; I just want the traffic dropped.
Here's the specific scenario: there's a race condition in the latest Exchange CAS iApp for Exchange/OWA 2013. What happens is that oftentimes after you signout, and the APM removes your session, other browser threads will still be in the process of firing off a last HTTP request for content from OWA (the browser doesn't stop them instantly; they are not stopped until after your redirect to the hangup page is complete). In some cases, they don't submit the MRHSession cookie because the hangup page erases it, but they are still in flight in the browser thread and still get fired off at the last second.
When they hit the APM, the APM sees that session no longer exists, so it starts a new one. It also records the URL they requested (often a javascript file or some other such) in a session variable so that it can redirect to that after the user finishes logging in. This is all background stuff the user doesn't see.
But then, if the user hits the "start new session" link on the hangup page, they will get an error saying a session is already in progress, and they will get sent to the APM login page to complete authentication. After they complete authentication, they will get redirected to a javascript resource rather than the OWA homepage, because that earlier late breaking request for a resource created a new session and set the redirect variable to that resource. This breaks the OWA app for that user.
So I need to be able to look things up by the 8 digit ID in an iRule so that I can discard the traffic before it creates a new session, because in some cases that 8 digit ID is literally the only thing I have that could distinguish valid traffic from invalid traffic.