iRule for HTTP::cookie creation works once on the first login. Any login after that no cookie is created
when HTTP_RESPONSE {
# if table shoud be set then take record of the ClientIP and set encrytped cookie
if { [ACCESS::session data get session.custom.suppressmfa.setauthtable] == 1 } {
HTTP::cookie insert name $static::suppress_mfa(cookie) value $static::suppress_mfa(value) path "/"
HTTP::cookie expires $static::suppress_mfa(cookie) $static::suppress_mfa(seconds) relative
HTTP::cookie secure $static::suppress_mfa(cookie) enable
HTTP::cookie httponly $static::suppress_mfa(cookie) enable
HTTP::cookie encrypt $static::suppress_mfa(cookie) $static::suppress_mfa(passphrase)
HTTP::header "Cache-Control" "max-age=$static::suppress_mfa(seconds)"
}
}
}
Hello,
I have an iRule that creates a cookie on HTTP_Response, sets an expiratoin, and sets a Cache-Control. This worked perfectly for months, then we upgraded to 14.1.4 it stopped working. The access policy has 2 logins, the first is an MFA login (microsoft authenticator) and the second is a domain login (username/pw). When the cookie is created and while it is still valid any further logins will suppress the MFA portion of the access policy. In the iRule "when Rule_Init" an array is created. In the array there are 4 variables. This is used to set the cookie "when HTTP_RESPONSE". Upon the next login "when ACCESS_SESSION_STARTED" checks the cookie and sets a "hash" variable. Then "when ACCESS_POLICY_AGENT_EVENT" does a compare of the "hash" to the "value" if they match then it sets the bypass. If they do not then it continues with the "when HTTP_RESPONSE" portion and tries to create the cookie. Like I said it creates it one time for one person but never again until I flip over to the standby or reboot. I am thinking there has to be some sort of cache going on. I have been working on this since we upgraded and can not figure out why it is no longer working any help would be greatly appreciated. I modeled this after this https://devcentral.f5.com/s/articles/Suppress-MFA-for-a-period-of-time I just adapted it for my needs. Below is the portion that is not working