For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

swifty_89412's avatar
swifty_89412
Icon for Nimbostratus rankNimbostratus
Apr 23, 2012

Access policy evaluation is already in progress for your current session.

I have an access policy to provide single sign-on amongst a set of Windows (NTLM) authenticated web sites. I have set up a 'Logout URI Include' in the 'Configurations' of the Access Profile. For the m...
app sec
BIG-IP Access Policy Manager (APM)
security
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Apr 23, 2014

The already in progress error page, for the most part, is triggered when you attempt to access a non-APM URI:

  1. During the access policy evaluation, and
  2. With a URI that doesn't match the original URI - stored in the session.server.landinguri session variable.

Not sure if this will help you, but the following should ensure that a non-APM/non-original URI does not trigger the in progress error:

when HTTP_REQUEST {
    if { ( [HTTP::cookie exists MRHSession] ) and not ( [ACCESS::session exists -state_allow [HTTP::cookie value MRHSession]] ) } {
        if { ( [HTTP::uri] ne [ACCESS::session data get session.server.landinguri] ) and not ( [ACCESS::session data get session.server.landinguri] eq "" ) } {
            HTTP::redirect [ACCESS::session data get session.server.landinguri]
        }       
    }
}

The idea is this. If an HTTP request comes in that:

  1. Has the MRHSession cookie
  2. Has an access policy that is not completed, and
  3. The request URI does not match the landinguri variable

redirect back to the landinguri URI.