I'm very green to the f5, and have what I think ought to be a fairly simple question, though I have not had any luck finding the answer so far. When a user navigates to the login page, before he or she even logs in, the f5 is counting that as 1 Active Session from the user's IP address. When the user closes the browser, that session stays active for the duration of my timeout.
What I'm wondering is if it's possible to not have the act of simply navigating to the login page count as 1 active session? What would be more preferable would be for the session counter to not start until after the user has been authenticated. I have found an iRule that would remove the session when a user logs out, but even if I implement this iRule, when the user gets logged out he or she is returned to the login screen, and I would think another session would then get created, so I would be no better off than I am now.
Is there an easy way to not start the session counter until after login? Any help on this would be greatly appreciated.
You can't change this as far as I know.
If you are worried about this because of the potential for abuse, there are settings that can mitigate this. For instance "Max In Progress Sessions per Client IP". YOu can limit this to a low number.
YOu can also set the "Access Policy Timeout" which is the amount of time allowed between session start and Policy complete (decision to Allow or Deny access).
Thanks for your response. Can you tell me more about the Access Policy Timeout. If this timeout expires, will it remove the session from the f5?