For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Jared_Townsley_'s avatar
Jared_Townsley_
Historic F5 Account
Nov 06, 2009
A pre-logon sequence can contain an "External Logon Page" ending (instead of "Logon Page") that redirects users to an external server with two HTTP POST variables. The two variables are "client_data" and "post_url." The client_data contains encoded results of the pre-logon inspection. The post_url contains the URL that the external logon page must use to POST back to FirePass.

In order to use this feature the external page must do a HTTP POST to FirePass containing client_data, username, password, tzoffsetmin=1, and mrhlogonform=1. As a security precaution, the value of client_data can only be submitted to FirePass once. It is also recommended to check the contents of post_url to make sure you are posting back to a legitimate FirePass.

Here is an example of an External Logon Page written in PHP and HTML: 

 
    // verify post_url is valid 
   if(!preg_match("/^(http[s]?:\/\/)([^\/\<\>]+)\/([^\<\>]*)$/i", $HTTP_POST_VARS["post_url"], $host)) { 
     echo(htmlentities($HTTP_POST_VARS["post_url"])." is not a valid URL"); 
     exit; 
   } 
   // only POST to our firepass 
   if ($host[2] != "10.10.190.10") { 
     echo(htmlentities($host[2]). " is not an authorized FirePass host."); 
     exit; 
   } 
 php?> 
  
  
  
  action="" method="post">  
   "> 
    
    
   Username: 
 
   Password: