For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

drugovm_149811's avatar
drugovm_149811
Icon for Nimbostratus rankNimbostratus
Apr 24, 2014

How to check for apm cookie exisitence

We have 2 web sites that using different authentication (2 different AD forest) with 2 different APM Access Policies that applied to respective Virtual Servers.

 

We have other websites that I don't want to be accessible unless users authenticated first in the initial 2 web sites. (right now you can hit those websites directly and after authenticating to login page you would have access). My main goal not to display login page and if the user didn't login before - redirect to some page

 

I was thinking that it can be achieved for checking for cookie presence (maybe a custom cookie needs to be inserted on successful authentication)

 

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
LTM
security

3 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 25, 2014

    Interesting idea. I think the question boils down to what you can send to a browser that other sites can see. Historically, there are only a few ways to do this, and probably the most popular would be a domain cookie. This is a cookie sent by a server that has a domain attribute. Example:

    Set-Cookie: foo=bar; path=/; domain=domain.com

    It's basically an expanding scoping mechanism that allows the browser to share this cookie across hosts that match the specified domain pattern.

    www.domain.com
foo.domain.com
bar.domain.com
...

    If that's the situation you have, then the answer could be pretty straight forward.

    On the first 2 VIPs:

    when HTTP_REQUEST {
    if { not ( [HTTP::cookie exists MYSITES] ) } {
        HTTP::respond 302 Location "http://[HTTP::host][HTTP::uri]" "Set-Cookie" "MYSITES; path=/; domain=domain.com"
    }
}

    If the client accesses the VIP and doesn't have this cookie, then it'll get an immediate redirect loop that sets the cookie. On the other website (that users shouldn't be able to access without going to either of the first two first):

    when HTTP_REQUEST {
    if { not ( [HTTP::cookie exists MYSITES] ) } {
        HTTP::redirect "...somewhere else..."
    }
}

    By virtue of not having visited either of the other VIPs, access to this VIP would get an immediate redirect to the URL of your choice. I'll also comment that for the sake of simplicity, the first iRule just sets the cookie based on initial access, not valid APM authentication. You'd need a slightly different mechanism to set this cookie after authentication.

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Apr 26, 2014

    Let's say you created the MYSITE cookie as a result of a successful authentication to one of the first two sites. Let's also say that you gave that cookie the value of the authenticated session ID, the MRHSession value from that site. When the client made a request to the third site and passed this cookie, you could check the state of that session cookie with the ACCESS::policy result -sid command. You may have to be careful with this approach though. Given that the browser will send this cookie to any site that matches the domain, you may be sending an active session token to other sites unintentionally. Another option may be to generate a unique ID, insert that into a subtable, and then use that value in the MYSITE cookie. The session table is global, so when the third site receives the MYSITE cookie, it can verify it against the session table. Other sites may still unintentionally see this cookie value, but it wouldn't be exposing an active session ID.