Forum Discussion

wbrowne's avatar
wbrowne
Icon for Altostratus rankAltostratus
Mar 25, 2021

iRule for HTTP::cookie creation works once on the first login. Any login after that no cookie is created

when HTTP_RESPONSE {   # if table shoud be set then take record of the ClientIP and set encrytped cookie   if { [ACCESS::session data get session.custom.suppressmfa.setauthtable] == 1 } {   HTTP...
BIG-IP Access Policy Manager (APM)
devops
iRules
log
security
wbrowne's avatar
wbrowne
Icon for Altostratus rankAltostratus

I was able to get this fixed with the help of a colleague. No matter what we tried in the response it always worked for the first person but no one after. We took the when HTTP_RESPONSE out completely and added a when ACCESS_POLICY_COMPLETES. 

when ACCESS_POLICY_COMPLETED {
 
    if { [ACCESS::session data get session.custom.suppressmfa.setauthtable] == 1 }{
    	set sessionauth [ACCESS::session data get session.custom.suppressmfa.setauthtable]
			if {$static::AMIADEV_Cookie_debug } {log local0. "AMIA set auth table is $sessionauth"}
		table set tab_amia:[IP::client_addr] Authed $static::suppress_mfa(seconds)
		set taba [table lookup tab_amia:[IP::client_addr]]
			if {$static::AMIADEV_Cookie_debug } {log local0. "$taba"}
        HTTP::cookie insert name $static::suppress_mfa(cookie) value $static::suppress_mfa(value) path "/"
            if {$static::AMIADEV_Cookie_debug } {log local0. "cookie $static::suppress_mfa(cookie) set for $static::suppress_mfa(seconds)"}
        HTTP::cookie expires $static::suppress_mfa(cookie) $static::suppress_mfa(seconds) relative
            if {$static::AMIADEV_Cookie_debug } {log local0. "cookie expires in $static::suppress_mfa(seconds)"}
        HTTP::cookie secure $static::suppress_mfa(cookie) enable
        HTTP::cookie httponly $static::suppress_mfa(cookie) enable
        HTTP::cookie encrypt $static::suppress_mfa(cookie) $static::suppress_mfa(passphrase)
        ACCESS::respond 302 noserver "Location" [ACCESS::session data get session.policy.result.start_uri] "Cache-Control" "no-cache, must-revalidate" Set-Cookie "$static::suppress_mfa(cookie)=[HTTP::cookie $static::suppress_mfa(cookie)];path=/;secure;httponly;Max-age=$static::suppress_mfa(seconds)"
            if {$static::AMIADEV_Cookie_debug } {log local0. "policy completed"}
        foreach aHeader [HTTP::header names] {
			if {$static::AMIADEV_Cookie_debug } {log local0. "$aHeader: [HTTP::header value $aHeader]"}}
        unset sessionauth
		unset taba
        }
 }
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Apr 01, 2021

So the HTTP_RESPONSE event didn't match for the users after the first user?

 

If so this is strange and this as you mentioned did work for older versions. Maybe a bug or change in how the F5 processes packets in the newer versions.

 

 

 

What found is that HTTP_RESPONSE is not triggered for locally generated F5 response and as this is APM, maybe this can be case:

 

https://clouddocs.f5.com/api/irules/HTTP_RESPONSE.html