Forum Discussion

CA_Valli's avatar
Feb 15, 2022

iRule to restart APM session


I'm deploying an environment where two separate portals, both published via F5 with separate access profiles, are hosted on the same F5 platform. 

There's hyperlinks in one of them that link to resources in the other portal. User will need to authenticate (separate authentication from the first portal) to see the resources. 

The problem I'm facing is that when hyperlink is clicked, F5 believes this is a hijacking attempt. It resets the authentication session previously opened for the first portal, and shows an error on the second logon page stating that the session was reset (showing ID for the session opened beforehand on the first portal). Clicking the "Start a new session" button does not restart authentication succesfully. 

I've noticed the only way to make it work will be opening a session on the second portal in the new page, then clicking the hyperlink will display "invalid username and password" and prompt for new authentication. 

I've thought about writing an iRule that drops&restarts authentication session if HTTP::referrer header is populated with the first portal, but I'm struggling to do so (so far I'm stuck in a redirect loop). 

Can anyone please help me with that?

So far it looks like



	if {[HTTP::header value Referer] equals "https://firstsite/" } {
            ACCESS::session remove
            ACCESS::respond 302 noserver Location "/"



 Thanks in advance


  • solved with brand new code to manage cookies.

4 Replies

  • HI CA,

    have you the iRule at hand that solves the problem to remove an apm session?



    • CA_Valli's avatar
      Icon for MVP rankMVP

      Hello Cay, what do you need to achieve?
      I do have some working code, but I remember tuning this iRule to be specific for my scenario. 

      • Cay's avatar
        Icon for Nimbostratus rankNimbostratus

        Hello CA,

        I use the APM my.policy to perform Oauth2 Azure authorization. We would like to be able to login and logout users from the APP. With both I stumbled upon ACCESS::session and found your article. So I tried to logout a user with ACCESS::session remove at HTTP_REQUEST, HTTP_RESPONSE. You suggest ACCESS_SESSION_STARTED, but this never worked and I think it is too early. If you have a codlet with the events I could dig deeper.

        I hope this helps you to help me :-).