How to expire F5 APM session on browser close with alternate timeout

Question

We are using the F5 APM to control access to our webapp, but are having some issues regarding expiration rules.

The scenario we want is that the cookie expires 12 hours after creation, or upon browser close, whichever comes first.

Despite our efforts, it would seem that we only have 1 of two options

• set the cookies "Expires" property to 12 hours (or max-age)
• don't set the "Expires" property at all

The first option successfully allows for the cookie to expire after 12 hours, but if the browser closes, the cookie is persisted until that time, so only one of the 2 conditions is met.

The second option will expire the cookie on browser close, but will not expire if the browser is open for 12 hours or more.

Is there a setting with the F5 APM that will expire the session on the F5 side, while the cookie can remain a session cookie on the browser side?

Answer 1

The best way to accomplish what you are trying to do with APM is to use a session cookie for the APM MRH cookie, and then set the Maximum Session Timeout setting to 12 hours (the value is set in seconds) on the Access profile under Properties in the Settings section (on version 11.x, may be in a slightly different place on v10.x). This will do exactly what you are trying to do.