Forum Discussion

Cory_O_150882's avatar
Cory_O_150882
Icon for Nimbostratus rankNimbostratus
Jan 24, 2016

Inactivity Timeout - MultiDomSSO With Persistent MRHSession Cookies

Good morning!

I was looking to modify our SharePoint solution published through APM so that in the event of a user utilizing multiple tabs, a logout from one will simply shorten the Inactivity Timeout to 300 seconds vs. treating it like a SLO with a 302 to /vdesk/hangup.php3. In addition, the proposed iRule would also return the Inactivity Timeout to the default of 1800 seconds on a subsequent connection if another tab was in use. Here's the logic I've put into place:

 

when ACCESS_ACL_ALLOWED {

    Set runtime variables.
    set timeout_value [ACCESS::session data get "session.inactivity_timeout"]

    Check for logoff URI and shorten Inactivity Timeout to 5 minutes if necessary.
    if { [HTTP::uri] ends_with "/_layouts/SignOut.aspx" } {
        if { $timeout_value != 300 } {
            ACCESS::session data set session.inactivity_timeout 300
            ACCESS::session data set session.max_session_timeout 300
        }
    } else {
        if { $timeout_value != 1800 } {
            ACCESS::session data set session.inactivity_timeout 1800
            ACCESS::session data set session.max_session_timeout ""
        }
    }

    Logging function to be removed prior to production.
    set session_id [ACCESS::session data get "session.user.sessionid"]
    set post_timeout_value [ACCESS::session data get "session.inactivity_timeout"]
    set user_id [ACCESS::session data get "session.logon.last.username"]

    if { $timeout_value != $post_timeout_value } {
        switch -glob $post_timeout_value {
            "1800" {
                log local0.notice "[HTTP::uri] Session $session_id User $user_id: Inactivity timeout set to default $post_timeout_value."
            }
            "300" {
                log local0.notice "[HTTP::uri] Session $session_id User $user_id: Inactivity timeout shortened to $post_timeout_value."
            }
        }
    }
}
definition-checksum 334dfa0ed05e4a46e9fb578f0d5477a5

 

What I'm seeing is that although the session variables are shortented with this iRule, the session itself still sticks to the original Inactivity Timeout of 1800 seconds.

Are these session variables only applicable while Policy Evaluation is in progress? Is there any other way to modify the Inactivity Timeout of an existing valid session?

Thanks, all!

 

APM
application delivery
iRules

6 Replies

Sort By
  • Lucas_Thompson_'s avatar
    Lucas_Thompson_
    Historic F5 Account
    Jan 24, 2016

    The inactivity timers unfortunately aren't directly gettable or settable after the session has reached the allowed state.

     

    • Cory_O's avatar
      Cory_O
      Icon for Cirrus rankCirrus
      Jan 24, 2016
      Thank you, Lucas. That's good to know!
    • JoeTheFifth's avatar
      JoeTheFifth
      Icon for Altostratus rankAltostratus
      Nov 19, 2018

      Lucas, care to explain when the timers are settable exactly in an irule? Which events, any examples? the only place I can set these two variables correctly is in the VPE itself, no luck setting any values in the access_allowed or access_complete events.

       

    • Lucas_Thompson_'s avatar
      Lucas_Thompson_
      Historic F5 Account
      Nov 20, 2018

      Right, you can't set them after the session has been started. The're an internal data representation inside TMM that isn't modifiable. As I recall it's something to do with optimization / performance since those have to be inspected so often.

       

      What thing are you trying to do specifically, and on what version?

       

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 24, 2016

    Hi Cory,

    you may try to implement your own soft slo functionality using the [table] command. The stuff I've in my mind would look something like this...

     

    if { [set slo_lifetime [table lifetime -remaining "slo_[ACCESS::session sid]"]] eq "" } then {
    if { [HTTP::uri] ends_with "/_layouts/SignOut.aspx" } {
        table set "slo_[ACCESS::session sid]" "1" indef 1860
    }
} else {
    if { $slo_lifetime < 960 } then {
        ACCESS::session remove
        HTTP::respond 302 Location "/vdesk/hangup.php3"
    }
    table delete "slo_[ACCESS::session sid]"
}

     

    When the user visits the logoff page, the snipped would create an additional [table] based soft-log-out timer. The soft log out timer would last slightly longer than your original Inactivity Timeout.

    • If the user decides to revisits the site within the next 900 seconds, it would just refresh your APM session and delete the [table] counter.
    • If the user visits the page after 900 seconds has been elapsed, it would kill the APM session and then redirect the user to the logoff page.

    Cheers, Kai

  • Cory_O's avatar
    Cory_O
    Icon for Cirrus rankCirrus
    Jan 25, 2016

    Kai Wilke is a genius! I've implemented the iRule snippet under a HTTP_REQUEST Event with a couple simple modifications:

     

    if { [set slo_lifetime [table lifetime -remaining "slo_[ACCESS::session sid]"]] eq "" } then {
    if { [HTTP::uri] ends_with "/_layouts/SignOut.aspx" } {
        table set "slo_[ACCESS::session sid]" "1" indef 1860
    }
} else {
    if { $slo_lifetime < 1560 } then {
        ACCESS::session remove
        HTTP::respond 302 Location "/vdesk/hangup.php3"
    }
    table delete "slo_[ACCESS::session sid]"
}

     

    The originally proposed code ran a table lookup -notouch command which only pulled the established value of "1". I changed this to table lifetime -remaining which now polls the table entry for its remaining lifetime. Also, since I wanted a 5 minute buffer between logging out and the session expiring, I changed the second value to subtract 300 instead of 900.

    Bottom line; this thing is working BEAUTIFULLY. Top marks to Kai, and thank you!

    -Cory