Forum Discussion

Cri's avatar
Cri
Icon for Nimbostratus rankNimbostratus
Dec 01, 2014

APM: Insert a cookie on a HTTP Response inside apm flow

Hi all,

this is the situation: I'm performing a simple authentication on an Oracle LDAP by APM, in case of password expiration I configured an endig that redirect on an external change password page. I need to send to this page, and so to the user, a cookie (or a header, it doesn't matter) with the user name of the user that made login. I've tried with an iRule on HTTP Response event but it doesn't seems to be triggered when the ending of the apm flow is a redirect.

This is the simple iRule that I used:

when HTTP_RESPONSE {
        log local0. "Inserisco il cookie con il nome utente" 
        HTTP::cookie insert name "user" value "Pippo"
}

I can't see log on ltm, so I imagined that in case of redirect I don't exit from APM, so I tried to insert an iRule on ACCESS_POLICY_AGENT_EVENT:

when ACCESS_POLICY_AGENT_EVENT {
HTTP::cookie insert name "user" value "pippo"
log local0. "INSERTUSER: Sto inserendo il cookie"
}

But still nothing.... Can you help me?

Cristian

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
LTM
oracle
security
  • Cri's avatar
    Cri
    Icon for Nimbostratus rankNimbostratus
    Dec 02, 2014

    I'tried this event this afternoon: the event is correctly triggered but it seems to work server side, not client side, I can't see set-cookie instruction in response. I wonder if I'm able to operate client side in this "particular" situation...

     

  • Cody_Green's avatar
    Cody_Green
    Icon for Employee rankEmployee
    Dec 03, 2014

    Hi Cristian,

     

    Another option would be to use the pool select option in the APM VPE versus redirecting the user. This would switch the resource pool to the change password server and you could then use a WebSSO method to provide the username to the backend application. Once the user updates their password you would issue a log off event and have them log in with their new credentials.

     

    The advantage to this over the redirect is that any username in the cookie, POST header, or GET URI could be intercepted and modified. With this option you can use the multifactor authentication capabilities of APM and send a one time password to the user that must be verified before they can access the change password site.

     

    Just a thought...

     

    Cody

     

  • Cri's avatar
    Cri
    Icon for Nimbostratus rankNimbostratus
    Dec 03, 2014

    Hi Cody,

    really an interesting solution! To adopt it I have to change some iRule because the server that hosts the change password page need to be called with a specific host header and using pool selection method user doesn't change the host context.

    At the moment I implemented an easy solution that pass username in uri, modifying redirect ending in this way:

    {session.logon.last.username}

    I don't like this solution because of http encoding could change the value of username in case of it includes special characters so I'm driving to test your suggestion asap. I'll let you know if it works, thank you for your help!

    Cristian