Forum Discussion

BrettReed_16317's avatar
BrettReed_16317
Icon for Nimbostratus rankNimbostratus
Aug 25, 2016

Sharepoint 2013 and browser logout issue

We are using BIGIP LTM & APM 11.6.1 and have set up a Virtual server for our Sharepoint 2013 farm. The issue that we are experiencing is that if the user is using the Chrome browser, no matter whether they select "Sign Out" or just close the browser, their session stays open and the next person to visit that site is logged in with the previous users credentials. Many of our users will be logging onto this Sharepoint site from public computers so this is a huge security risk. Has anyone found a good solution to this problem that still allows users to edit documents on the site using Microsoft Word or Excel.

 

APM
browser
iApps
logout issues
security
session not closing
sharepoint 2013

5 Replies

Sort By
  • mikeshimkus_111's avatar
    mikeshimkus_111
    Historic F5 Account
    Aug 25, 2016

    Hi Brett, is this only happening in Chrome?

     

    Did you use the latest version of the SharePoint iApp to deploy? Should be f5.microsoft_sharepoint_2010_2013.v1.2.1.

     

    The iApp will assign a logout URI to the APM policy to terminate the session when you click the logout button in SharePoint. I just tested this using a deployment configured by the iApp, and the session was correctly killed after I clicked logout in Chrome.

     

    thanks

     

    Mike

     

    • BrettReed_16317's avatar
      BrettReed_16317
      Icon for Nimbostratus rankNimbostratus
      Aug 25, 2016

      Thanks Mike, I was not using the latest iApp but have just downloaded it and tested the scenario with it and have the same outcome. The "sign out" URL prepends the subsite name to the /_layouts/15/SignOut.aspx in SharePoint and then it doesn't work. We have multiple subsites so adding them all to the Logout URl is not an option. (If I remove the subsite name, it does log out correctly.)

       

      However, I also have to have a solution that kills the session if they just close the browser as many of our users do not click the logout button - thus leaving access to their personal information accessible to the next user. The SharePoint site is Internet facing so we are not able to enforce anything using group Policy either.

       

      Firefox behaves perfectly, logs out using the button and terminates session when browser is closed. I have been able to get IE to work like I want it to using iRules but not Chrome. Haven't even tried Safari yet!

       

    • mikeshimkus_111's avatar
      mikeshimkus_111
      Historic F5 Account
      Aug 25, 2016

      We have an open request to add wildcard support to the logout URI. I believe this would solve your issue. Would appreciate it if you have time to open a case with F5 support and reference issue ID 440234 so they can add the case to the list.

       

      Regarding the issue with closing the browser, if the edge client is not being used, APM has no indication that the browser has been closed. The only way to mitigate this would be to shorten the inactivity timeout interval in the APM access policy settings.

       

  • HussainT_289006's avatar
    HussainT_289006
    Icon for Nimbostratus rankNimbostratus
    Sep 06, 2016

    create a cookie persistence profile and link it to the Virtual server ==> resources ==> Default persistence profile. This should solve the sign out issue in SharePoint.

     

    • BrettReed_16317's avatar
      BrettReed_16317
      Icon for Nimbostratus rankNimbostratus
      Sep 06, 2016

      I'm not very familiar with this but I'm not sure I understand what you are saying - the options for cookie persistence appear to me to be creating affinity with the backend servers rather than terminating the client sessions. What am I missing?

       

      There is a setting within Chrome browser (default) (and Opera) that sets Cookies option to "Allow local data to be set - recommended". If I turn this off, the browser behaves as expected and terminates the session. As we do not have control over many of the systems that our students use to access our Sharepoint installation, I cannot change this default behavior, so I was looking for a way to do it through F5 as it is done through TMG where you can set the option for using persistent cookies to "Only on private computers"