For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Oct 23, 2018

Hi,

 

you can use this code:

 

when RULE_INIT {
   set static::session_restore_aes_key "AES 256 affeaffeaffeaffeaffeaffeaffeaffeaffeaffeaffeaffeaffeaffeaffeaffe"  ; AES Key to protect and validate recovery data
    set static::session_restore_aes_key [AES::key 256]  ; AES Key to protect and validate recovery data
     Define here all session variables used to build client fingerprint
    set static::host_fingerprint_sources {
        session.user.ipgeolocation.country_code
        session.user.agent
     }
}
when ACCESS_SESSION_STARTED {
     Build client fingerprint and write it in session variable
    set data_decoded ""
    foreach source $static::host_fingerprint_sources { append data_decoded [ACCESS::session data get $source]}
    set session_hash [sha1 $data_decoded]
    ACCESS::session data set session.custom.fingerprint $session_hash
     Check if user already success OTP challenge. if true, provision session.custom.username variable with username of previous session stored in cookie
    if { [HTTP::cookie exists HostToken] } {
         Cookie content is secured by a AES key (generated each time irule is loaded)
        set cookie_content_list [AES::decrypt $static::session_restore_aes_key [b64decode [HTTP::cookie value HostToken]] ]
        if {($session_hash == [lindex $cookie_content_list 2]) && ([ACCESS::session data get session.user.starttime] < [lindex $cookie_content_list 1])} {
            ACCESS::session data set session.custom.username [lindex $cookie_content_list 0]
        }
    } 
}

when ACCESS_ACL_ALLOWED {
    if {[HTTP::path] equals "/fingerprint_accept" } {
        set cookie_expire_absolute [expr {[ACCESS::session data get session.user.starttime] + 24*3600}]
        set cookie_expire_date  [clock format $cookie_expire_absolute -format "%a, %d-%b-%Y %H:%M:%S GMT" -gmt true]
        set cookie_content_list [list [ACCESS::session data get session.logon.last.username] $cookie_expire_absolute [ACCESS::session data get session.custom.fingerprint]]
        set cookie [format "HostToken=%s; path=/; expires=%s;Secure; HttpOnly" [b64encode [AES::encrypt $static::session_restore_aes_key $cookie_content_list]] $cookie_expire_date]
        ACCESS::respond 302 noserver Location [binary format H* [URI::query [HTTP::uri] redirect]]  "Set-Cookie" $cookie
    }
}

In VPE, just after authentification, create an empty box with branch expression:

 

expr { [mcget {session.logon.last.username}] == [mcget {session.custom.username}] }

This expression lead to bypass OTP

 

then after successful OTP branch, create a variable assign box with content

 

session.server.landinguri =

 

binary scan [mcget {session.server.landinguri}] H* tmp;
return "/fingerprint_accept?redirect=$tmp"

This solution will allow to bypass OTP only if the fingerprint is the same with same username and within 24 hours time range.