Forum Discussion
Nacreoushelp on iRule
Client PC connects using existing https lin and is directed to our authentication module , this in turn authenticates the user, creates a token for that user session in our application DB and sends another redirect url with a token back to client PC. Client PC uses this https redirect url with token and this in turn triggers our Infocenter application allows login and invalidates the token.
Now issue is token which is part of the GET method in the url could be prone to a sniffing / MITM attack and hence used by someone else to login.
Can iRule be written where response F5 sends response to client, token will get encrypted or hidden in URL?
2 Replies
What_Lies_Bene1Cirrostratus
Hmmm, that shouldn't be possible if you are using HTTPS. As its in the URL and not compressed you are also NOT vulnerable to CRIME or BEAST which is good.
If you did encrypt or mask it, this wouldn't help as the MITM could just sniff that and use that instead. Likewise, if you put it in a cookie and encrypted that, the encrypted cookie could just be replayed.
In this instance you are probably better off ensuring your TLS configuration is highly secure.
spalandeThanks Steve. By any chance do you have iRule to mask the token in response from F5 to the client? token will be added in URL..
