Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology

Help with iRule - APM Logout Sequence + Redirect


Environment = SAP Netweaver (LTM/APM) 

Logout URI configured    iRule redirects users to hangup.php3 but does not remove session cookies.  This allows users the capability to access the servers directly (bypassing the APM) and need help.  

I'm not sure we are doing this the best way.  We got it to function, but since the session cookies are not being removed. It seems to be the order of execution.  The redirect to hangup.php3 is executed before the REMOVE cookies command is able to execute.

 As it is today this will never get passed the Network Security team.  Any advice would be appricated, here's what happens:

User hits the Logout button (defined in APM access policy as the Logout URI), this is the LogOutComponent defined in the iRule as well. Nothing really happens without the iRule.  When we use this iRule it removes the session from the APM but the problem is the SAP cookie's are still their and the user can simply access the servers directly (servers are not in a secure vlan)

So we need a way to have the redirect happen after the REMOVE Cookie portion.  But it is all part of the same response so I'm not sure this is the correct way of doing it.

The only cookie that we really need removed is the MYSAPSSO2.  The others would be nice, i can upload a screen shot of fiddler if that helps. (where you can see the redirect to hangup and it still has the cookies)

        #this will redirect users to the login screen if user is logging out 
        if {[HTTP::uri] == "/irj/servlet/prt/portal/prtroot/com.sap.portal.navigation.masthead.LogOutComponent"} { 
                log local0.info "ABC - logging off from portal" 

                ACCESS::session data set "session.user.esssso" "done" 

                #remove session info 
                #ACCESS::session remove 

                set removeCookiesFlag "YES" 

                #send to login screen, hard coded for now 
                #HTTP::redirect "https://abc.com/" 

        #session is over, remove all cookies 
        if {[ACCESS::session data get "session.user.esssso"] == "done"} { 
                log local0.info "ABC - deleting Portal cookies" 

                #remove all SAP cookie 
                HTTP::cookie remove "SAPSSO" 

                #remove sso cookie 
                HTTP::cookie "ess_login" "not allowed" 

                #remove session info 
                ACCESS::session remove 

                #HTTP::redirect "https://abc.com/my.policy" 
        HTTP::redirect "https://abc.com/vdesk/hangup.php3" 

Rate this Question

Answers to this Question


I tried to encrypt the cookie thinking this would be a good work around.  And it does allow the user to log off and even if they have the cookie it is now encrypted. 

The problem is without removing the cookies, if the user tries to log back in gets load balanced to another server, the session is invalid.  He never gets the new cookie (when they login) because he already has it.

Doh, I thought i had a good solution, but back to the drawing board...