F5 APM Login Page Reload Attempts Username Evaluation

Question

I am working on a tricky F5 Issue.  While trying to port a custom HTML page from Microsoft TMG to F5 BIG-IP APM, I have come across a behavior on the F5 that I would like to mitigate.  This particular custom HTML page requires that there is a link that inserts a cookie and reloads the page.  This function happens in JavaScript.  When the page reloads the F5 logs and entry for Username ''.  After 3 reloads APM reaches Max Failed Login Attempts and displays "Your session could not be established."  The first question I have is why is authentication attempted before the Form Submit button is pressed?&nbsp;
JavaScript, Cookie, Page Reload:
When the link is pressed a cookie is inserted and the page a location.reload() is invoked.&nbsp;
Cookie Evaluation:
The presence of the cookie loads an alternate CSS file, and the location.reload() allows the page to load with the new CSS file.  This allows for a different logo and color scheme to be applied.  When the link is pressed a 2nd time, the cookie is removed, the page is reloaded, and the default CSS file is applied.&nbsp;
Is it possible to prevent the F5 from evaluating form data when the page is reloaded?  Would it be possible to redirect the user back to the login page and reset the number of login attempts?&nbsp;

keesvandenbos · Answer

Hi,&nbsp;
How is the cookie inserted? Via an irule?&nbsp;
Cheers,&nbsp;
Kees&nbsp;
p.s.&nbsp;
It is default behaviour to post the password and username variable to the AAA agent when reloading the login page. &nbsp;

amass87_221296 · Answer

No the cookie is inserted via the custom JavaScript code inserted into the login.inc page.  The custom JavaScript applies a separate CSS file depending on whether the cookie is present.  It also adds/removes the cookie based on clicking a link.  First click adds cookie and reloads page, second click removes cookie and reloads page, third add/reload, etc.  It transforms the link into a toggle for CSS files.  The reload allows the different CSS file to be applied based on the presence of the cookie.&nbsp;
The best solution I could come up with is to create an empty policy object that looks at whether both username/password are blank and then have a custom ending that redirects back to the original URL to reset the process.&nbsp;

keesvandenbos · Answer

What you could do is create a macro.
Edit/rename the macro to loop 5 times
In the macro add your logon page and an empty agent (General purpose tab)
In the empty agent add the following : 
expr { [mcget {session.logon.last.username} == ""]}

Name the branche "no username"
Change the no username ending to loop and the fallback to allow
Then add the macro instead of your current logon page, where the allow will be attached to your AAA agent (AD) and de loop ending to deny.
This will give the user 4 tries to find the find the right ccs.
Ones a username is entered and authentication fails the AAA agent will go directly to the logon page so the process of switching ccs files will fail in the same way as it did before.
Cheers,
Kees

Forum Discussion

F5 APM Login Page Reload Attempts Username Evaluation

3 Replies

Recent Discussions

SEEK ADVICE FROM WEB BAILIFF CONTRACTOR ON STOLEN CRYPTO

Errors in setup of BIGIP-NEXT CM VE on KVM

AS3 Deployments (shared objects)

rSeries and tenant upgrades

iRule interpretation assistance

Related Content

Detect and stop exfiltration attempts with F5 Distributed Cloud App Infrastructure Protection

iRule operator evaluation order OR/AND

Intermediate iRules: Evaluating Performance

Evaluate WAF Policy with BIG-IQ Policy Analyzer

Persist connection based on NTLM username