Forum Discussion

dp_119903's avatar
dp_119903
Icon for Cirrostratus rankCirrostratus
Sep 03, 2015

APM Inactivity Timer(s)

I have a quick question regarding timers and APM.

 

I recently deployed a SAML iDP solution for our SharePoint environment. When I was setting it up to begin with the timers were initially based on the http session (browser window). If the browser was closed the timer expired, but as long as it was open the session was good.

 

Then I ran into some issues where users couldn't open up documents in thick clients (word, excel, etc) from the document libraries. I did some digging and found an irule on devcentral (that is apparently in a deployment guide) that addressed this. However it basically setup persistent cookies so that the cookies could be shared between the browser and thick clients.

 

Once I did that the issue I ran into was that when a user closed their browser their session didn’t time out for 15 minutes (which happens to be the default inactivity timeout in the access profile), which created some security concerns with regards to users and public computers. So I went ahead and set the inactivity timer in the access profile to 60 seconds, this way if a user closes their browser it will time out within 60 seconds, however this also means that if they have their browser open but aren't doing anything that the session times out in 60 seconds, which is causing some issues.

 

The problem that I have is that when users go into sharepoint and are doing certain activities (like editing a document) their session times out before they are done editing it, and then that creates issues when they try to check the document back in, etc.

 

So my question is this, is there a way to keep the session alive as long as the browser is open (as it was before I added the irule that setup persistent cookies)? I was working with tcp keepalives and idle timeouts in the tcp profile, but haven’t had any luck.

 

My ideal scenario would be to have a users session active as long as the browser window is open (unless there is no activity for a long amount of time…like 30 minutes), but to close the session relatively quickly if the actual browser window is closed.

 

Any assistance would be greatly appreciated.

 

this is the irule that I am using:

 

APM
deployment
security
timers

3 Replies

Sort By
  • dp_119903's avatar
    dp_119903
    Icon for Cirrostratus rankCirrostratus
    Sep 03, 2015
    ~~~ when HTTP_REQUEST { if { [HTTP::cookie exists "MRHSession"] } { Remember the session ID to be used on the response set MRHSHint [HTTP::cookie value "MRHSession"] Strip off the SharePoint hint cookie so backed does not see it if { [HTTP::cookie exists "MRHSHint"] } { HTTP::cookie remove "MRHSHint" } } elseif { [HTTP::cookie exists "MRHSHint"] } { HTTP::cookie insert name "MRHSession" value [HTTP::cookie value "MRHSHint"] Refresh the SharePoint hint cookie set MRHSHint [HTTP::cookie value "MRHSHint"] Strip off the SharePoint hint cookie so backed does not see it HTTP::cookie remove "MRHSHint" } } when ACCESS_ACL_ALLOWED { set timeout [ACCESS::session data get "session.inactivity_timeout"] set secure [PROFILE::access "secure_cookie"] set clientip [ACCESS::session data get "session.user.clientip"] Check source address if { not ( $clientip equals [IP::remote_addr] ) } { ACCESS::respond 401 content "Error: Failure in Source Address Check" Connection Close } } when HTTP_RESPONSE { if { not [info exists timeout] } { set timeout 60 } if { not [info exists secure] } { set secure 1 } if { [info exists MRHSHint] } { Insert a SharePoint hint cookie HTTP::cookie insert name "MRHSHint" value $MRHSHint Keep the life of SharePoint hint cookie same as session cookie Also make it persistent. HTTP::cookie expires "MRHSHint" $timeout relative if { $secure equals "1" } { HTTP::cookie secure "MRHSHint" enable } HTTP::cookie path "MRHSHint" "/" unset MRHSHint } } ~~~
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 04, 2015

    Hi,

     

    look at this thread : https://devcentral.f5.com/questions/sharepoint-and-office-integration-part-2

     

    I posted an irule and the VPE screenshot assigned to.

     

    • If user selected private computer in Logon page, it insert a dedicated cookie with sessionid and create the MHRSession cookie only if user agent is not a browser... if the SAML IdP does not provide a trusted information, you can

       

    • If the user want to edit a previously authenticated session, it enable Clientless mode (Basic authentication) or MSOFBA (form base Auth supported by Office clients)

       

    The MSOFBA is validated with SAML Authentication as I created the irule to migrate from AD auth to SAML.

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Sep 18, 2015

    Hi,

     

    if you read my irule, i copied the MHRSession cookie (which is not persistent) in a persistent cookie (name in variable $static::ckname).

     

    this cookie is time limited to 2 minutes (120 seconds) and can be increased.

     

    if the browser is closed, the default MHRSession is deleted and only "clientless" browsers have persistent cookie copied back to MHRSession. isn't it what you want???

     

    the only thing you have to change in the irule is to provision session.logon.last.private variable to 1 in VPE (or clean the irule to remove condition about this variable)