For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

bdavis's avatar
bdavis
Icon for Nimbostratus rankNimbostratus
Apr 28, 2014

APM Irule: Verification of Cookie after redirect.

I have a VIP which is protected by APM and an Irule that contains a event section that is called during the APM process to check and see if the user has a specific cookie and if they do not have this cookie they get redirected to the front-end of a SSO site. After authenticating to this SSO Application they are redirected back to the front-end of the application protected by APM and there should be a cookie that was inserted by the SSO agent. What happens is I see the cookie in the 302 response back to the user, but the cookie is not present in the following request to the application after the 302. I initially assumed that the domain of the cookie was not correct however I have tried setting the domain, not setting the domain and I never receive the cookie after the redirect. Does anyone out there have any suggestions?

 

application delivery
BIG-IP Access Policy Manager (APM)
deployment
design
devops
iRules
security

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 29, 2014

    Okay, so please verify that the request after the 302 and Set-Cookie header (the one missing this cookie):

     

    1. Is in the same domain as that set in the domain attribute, and

       

    2. Is behind an HTTPS URL

       

    You also mentioned that you captured this earlier today, presumably the 28th of April, 2014, but this cookie is set to expire on the 24th of April, 2014.