f5 sharepoint tenacious session issue

Same problem here, SharePoint 2010 with persistent cookies enabled on F5 in order to allow editing in Office. Until solution is found we decided to set timeout to 5 minutes, then added JS code to SharePoint master page to retrieve an image every 4 and half minutes. This resets expiry on persistent cookie for another 5 minutes, cutting down to max 5 minutes chance of someone unauthorized accessing the site on public computer. Still this is a hole that should not be there. I understand users should always click on Sign Out, but that’s not guaranteed. Chances are most of them will close the browser and assume they are logged out. Also, we can’t rely on public computers to be set to delete permanent cookies on browser closing.

Suggestion for permanent solution, assuming session cookies are killed on closing a browser: Create one browser session cookie and one persistent cookie when starting a new session. When browser is closed, session cookie will be deleted. If someone reopens the browser and tries to access the site, F5 should check for both session and persistent cookies. If they don’t match or one is missing, F5 should kill the session.

Opening up a ticket with F5 on this subject did not help. They indicated that this issue is a feature request and that if I provided them with the info below they would submit an RFE.

1. Describe the new feature in as much detail as possible.
2. What is the problem that would be resolved by adding this new feature?
3. What is the business impact to your site due to the lack of this feature?

I'll jump through all the hoops but I'm not expecting any solution in the near future.

This is f5 support answer for the issue: This is expected behaviour because the Sharepoint Deployment uses a Persistence Cookie which is required to edit/access Word,Excel,etc documents.The http client used by word,excel etc, must have access to the session cookie to pass through apm without getting redirected to the logon page. Transient cookies in browsers are not accessible by another program, as they are in memory. While persistent cookies are as stored in disk.

If you would not be editing documents in Sharepoint then you can disable the Persistence Cookie (Access Profile-->SSO/Auth Domains-->Cookie Options--->Persistent

Please be sure that you would not be editing documents in future as unchecking the Persistent Cookie would prevent you from this.If the above change is made,after closing the browser the session should be deleted.

Alternatively you could opt to use Portal Access for your deployment.

Not sure if this is too late, or helps at all, but I have had some success in a lab environment. Just attach a default stream profile and this irule.

This will inject some javascript into the bottom of the page the looks for a user to close the browser, then transparent redirect to SignOut.aspx, which APM interprets as a logout and terminates the session (and persistent cookies). May not work in all environments, and this code only supports IE. For Firefox and Chrome you have to return a message. http://stackoverflow.com/questions/9626059/window-onbeforeunload-in-chrome-what-is-the-most-recent-fix

when HTTP_REQUEST {

    Looks for SharePoint hangup, kills APM session.
    Could also set via Logout URI Include setting in APM.
    if { [string tolower [HTTP::uri]] contains "signout.aspx"} {
        ACCESS::session remove
    }
    STREAM::disable
    HTTP::header remove "Accept-Encoding"
} 
when HTTP_RESPONSE {
     Check if response type is text
    if { [HTTP::header value Content-Type] contains "text" } {

         Define the stream replacement
         Change the 15 in the following line to the version of sharepoint being used 13 = 2007 / 14 = 2010 / 15 = 2013
        STREAM::expression {@@ @}
        STREAM::enable
    }
}