NimbostratusYour custom scenario and ones like it is basically the reason that BIG-IP has irules and APM has a logic flow.
Some tips that may be helpful:
Don't use ACCESS::session remove. It is almost never appropriate because it only ends the session on the APM server and not on the client. If you want to end the session, redirect the user to APM's hangup page (/vdesk/hangup.php3). That will destroy the cookies, end the APM session, and put the user into a landing page that indicates logout.
If you want to modify an HTTP response to the client, use HTTP_RESPONSE_RELEASE. This event happens immediately before it's transmitted so you can modify anything, including APM-insered stuff.
Some of the HTTP connections occur between the client and APM itself to get APM resoruces so the "HTTP_REQUEST" event happens at a strange time because the request is internally handled instead of going out to an external server.
Normally APM will use the session variable "session.server.landinguri" to redirect the user once the access policy is complete. This session variable can be used during access policy evaluation also so that you can tell what the user FIRST navigated to when creating the session. It can be useful in a lot of cases where you want to make logic based on the beginning request.
