Vinne73
Sep 25, 2018Cirrus
Chrome prefetch breaks APM sessions?
Hi,
We use Big-IP APM as a SAML SP for Shibboleth IdP. Our APM Policy is nothing too fancy. It's a multi-domain SSO.
The problem: we see a lot of /my.logout.php3?errorcode=21 in /var/log/ltm
In /var/log/apm we see this error: "Session deleted due to user logout request." This is not the case. The user did not ask for a logout. What probably happens, is that deep inside the APM functionality, an error happens (Invalid nonce) and then APM redirects to /my.logout.php3?errorcode=21.
So I did some digging. My results so far:
- Everytime this happens, there are two requests to /my.policy instead of one.
- Almost all (or all) of these requests are Chrome.
- For the latest version of Chrome (Chrome/69.0.3497.100), I almost always get the header "Purpose prefetch" on one of the requests.
- For all the older versions, Chrome 68 and older, I don't get the header.
So I assume it's all prefetch, and the latest Chrome identifies it as such. This leads me to some questions:
- Has anybody observed the same behaviour, and what were your solutions?
- Can this double requesting or prefetching break an APM session this way and why does Chrome prefetch /my.policy anyway. Is there any way to block this.
- Should I detect the prefetch call to /my.policy, can I safely send a 403? Or will this block both requests?
Thank you - I'm a bit stuck with this.