For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

1 Reply

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Nov 15, 2016

    Hi,

    you can use this irule (not tested)

    when RULE_INIT {
         to be changed prior to any publishing
        set static::passphrase "hEuoYjmFUpB4PcpO3bUdQtLP4ic7jjm"
} 

when ACCESS_SESSION_STARTED {
    if { [HTTP::cookie exists APMAuth] } {
        set decrypted [HTTP::cookie decrypt "APMAuth" $static::passphrase]
        scan $decrypted {%[^:]:%s} username password
        ACCESS::session data set session.logon.last.username $username
        ACCESS::session data set -secure session.logon.last.password $password
    }
}

when ACCESS_POLICY_COMPLETED {
    if { ([ACCESS::policy result] equals "allow") } {
        HTTP::cookie encrypt "TMPCOOKIE" "[ACCESS::session data get session.logon.last.username]:[ACCESS::session data get -secure session.logon.last.password]"
        HTTP::cookie encrypt "TMPCOOKIE" $static::passphrase
        ACCESS::respond 302 noserver "Location" [ACCESS::session data get session.server.landinguri] "Cache-Control" "no-cache, must-revalidate" Set-Cookie "APMAuth=[HTTP::cookie TMPCOOKIE];path=/"
    }
}

    and configure VPE to check if session.logon.last.username is not null.

    if session.logon.last.username equals "" then prompt for logon page, else validate authentication with user / password stored in encrypted cookie.