Forum Discussion

Adam_Ingle_1300's avatar
Adam_Ingle_1300
Icon for Cirrus rankCirrus
Jun 01, 2016
Solved

APM Forms SSO Session Logout Error Page

Good day!

I am trying to get my policy to recognize when the page /Login/LogOff is being accessed. I'm using Forms Based SSO to front-end an application which is working successfully, but when the user selects the "Log Off" button on the application (not the BIG-IP/APM), an error page is being generated.

I am using the iRule:

when ACCESS_ACL_ALLOWED {
    if { [HTTP::uri] equals "/Login/LogOff" } {
        ACCESS::session remove
        ACCESS::respond 302 Location "http://[HTTP::host]" "Set-Cookie" "MRHSession=0; expires=Tuesday, 29-Mar-1970 00:15:00 GMT" "Connection" "Close"
    }
}

Error generated:

Access policy evaluation is already in progress for your current session.

You may see this message, if you are using a different browser tab than the one where you started the access policy initially. Please continue to finish your access policy in the previous browser tab, and close this current window immediately.

If you have reached to this message due to some other error, click for creating a new session.

I've also attempted SOL12056, but with limited success. It does infact terminate the session, but does not successfully redirect the user to the login page immediately. There's a delay and the lowest is 1 second.

With the iRule, I've been able to redirect and I've been able to terminate the APM session. But I am unable to do both at the same time.

I've tried a myriad of other iRules and combinations and orders with no additional success.

Thoughts?

Thanks!

APM
application delivery
devops
iRules
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Jun 01, 2016

    If you change the rule to have the redirect logic in the response it will allow the backend application to receive the request and close the session there as well. This will ensure both the app and APM session are closed properly.

    when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    set logout 0
    if {[HTTP::uri]] equals "/Login/logoff"]}{set logout 1}
}
when HTTP_RESPONSE {
    if {$logout}{
        log local0. "logout-request-URI: local URI [HTTP::host][HTTP::uri] redirect to /vdesk/hangup.php3"
        HTTP::header replace "Location" "/vdesk/hangup.php3"
    }
}

10 Replies

Sort By
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Jun 01, 2016

    Hi,

    You should use the following instead or configure the logout setting in the access profile directly :

    when ACCESS_ACL_ALLOWED {
    if { [HTTP::uri] equals "/Login/LogOff" } {
        ACCESS::respond 302 Location "http://[HTTP::host]/vdesk/hangup.php3"
    }
}
    • Adam_Ingle_1300's avatar
      Adam_Ingle_1300
      Icon for Cirrus rankCirrus
      Jun 01, 2016
      Yann, thank you very much for the reply. I did try the suggested iRule as well as the logout settings in the profile. Both together and separate without success. I am still presented with the error mentioned above. I am working with the application owners as I believe when the "log off" button is selected, rather than a final landing page, I believe the application is terminating the session and using a 302 redirect to return the user to the login page. Which is exactly what I want the APM to do as well. So there may be a conflict with the application response and the APM's response to the end user.
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 01, 2016

    Hi,

    You should use the following instead or configure the logout setting in the access profile directly :

    when ACCESS_ACL_ALLOWED {
    if { [HTTP::uri] equals "/Login/LogOff" } {
        ACCESS::respond 302 Location "http://[HTTP::host]/vdesk/hangup.php3"
    }
}
    • Adam_Ingle_1300's avatar
      Adam_Ingle_1300
      Icon for Cirrus rankCirrus
      Jun 01, 2016
      Yann, thank you very much for the reply. I did try the suggested iRule as well as the logout settings in the profile. Both together and separate without success. I am still presented with the error mentioned above. I am working with the application owners as I believe when the "log off" button is selected, rather than a final landing page, I believe the application is terminating the session and using a 302 redirect to return the user to the login page. Which is exactly what I want the APM to do as well. So there may be a conflict with the application response and the APM's response to the end user.
  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jun 01, 2016

    This error message is displayed when you already have a pending session (so MRHSession cookies in the request) and you go to an invalid landing uri.

     

    Can you trace what happens using fiddler or httpwatch ?

     

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Jun 01, 2016

    Hi,

    can you please test this irule:

    when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {

    if { [HTTP::uri]] equals "/Login/logoff" ] } {
        log local0. "logout-request-URI: local URI [HTTP::host][HTTP::uri] redirect to /vdesk/hangup.php3"
        HTTP::redirect "/vdesk/hangup.php3"
    }

}
  • Brad_Parker_139's avatar
    Brad_Parker_139
    Icon for Nacreous rankNacreous
    Jun 01, 2016

    If you change the rule to have the redirect logic in the response it will allow the backend application to receive the request and close the session there as well. This will ensure both the app and APM session are closed properly.

    when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    set logout 0
    if {[HTTP::uri]] equals "/Login/logoff"]}{set logout 1}
}
when HTTP_RESPONSE {
    if {$logout}{
        log local0. "logout-request-URI: local URI [HTTP::host][HTTP::uri] redirect to /vdesk/hangup.php3"
        HTTP::header replace "Location" "/vdesk/hangup.php3"
    }
}
    • Adam_Ingle_1300's avatar
      Adam_Ingle_1300
      Icon for Cirrus rankCirrus
      Jun 01, 2016
      Ah. Right on, Brad. By using the HTTP_RESPONSE to replace the header, that also means the application on the back-end receives the original log off request. Without that, the APM session is torn down, but the application session is not. I've tested with this suggested iRule and I see both sessions torn down properly. Many thanks, Brad!
  • Brad_Parker's avatar
    Brad_Parker
    Icon for Cirrus rankCirrus
    Jun 01, 2016

    If you change the rule to have the redirect logic in the response it will allow the backend application to receive the request and close the session there as well. This will ensure both the app and APM session are closed properly.

    when CLIENT_ACCEPTED {
    ACCESS::restrict_irule_events disable
}
when HTTP_REQUEST {
    set logout 0
    if {[HTTP::uri]] equals "/Login/logoff"]}{set logout 1}
}
when HTTP_RESPONSE {
    if {$logout}{
        log local0. "logout-request-URI: local URI [HTTP::host][HTTP::uri] redirect to /vdesk/hangup.php3"
        HTTP::header replace "Location" "/vdesk/hangup.php3"
    }
}
    • Adam_Ingle_1300's avatar
      Adam_Ingle_1300
      Icon for Cirrus rankCirrus
      Jun 01, 2016
      Ah. Right on, Brad. By using the HTTP_RESPONSE to replace the header, that also means the application on the back-end receives the original log off request. Without that, the APM session is torn down, but the application session is not. I've tested with this suggested iRule and I see both sessions torn down properly. Many thanks, Brad!