For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

wbrowne's avatar
wbrowne
Icon for Altostratus rankAltostratus
Mar 25, 2021

iRule for HTTP::cookie creation works once on the first login. Any login after that no cookie is created

when HTTP_RESPONSE {   # if table shoud be set then take record of the ClientIP and set encrytped cookie   if { [ACCESS::session data get session.custom.suppressmfa.setauthtable] == 1 } {   HTTP...
BIG-IP Access Policy Manager (APM)
devops
iRules
log
security
wbrowne's avatar
wbrowne
Icon for Altostratus rankAltostratus
Mar 31, 2021

I was able to get this fixed with the help of a colleague. No matter what we tried in the response it always worked for the first person but no one after. We took the when HTTP_RESPONSE out completely and added a when ACCESS_POLICY_COMPLETES. 

when ACCESS_POLICY_COMPLETED {
 
    if { [ACCESS::session data get session.custom.suppressmfa.setauthtable] == 1 }{
    	set sessionauth [ACCESS::session data get session.custom.suppressmfa.setauthtable]
			if {$static::AMIADEV_Cookie_debug } {log local0. "AMIA set auth table is $sessionauth"}
		table set tab_amia:[IP::client_addr] Authed $static::suppress_mfa(seconds)
		set taba [table lookup tab_amia:[IP::client_addr]]
			if {$static::AMIADEV_Cookie_debug } {log local0. "$taba"}
        HTTP::cookie insert name $static::suppress_mfa(cookie) value $static::suppress_mfa(value) path "/"
            if {$static::AMIADEV_Cookie_debug } {log local0. "cookie $static::suppress_mfa(cookie) set for $static::suppress_mfa(seconds)"}
        HTTP::cookie expires $static::suppress_mfa(cookie) $static::suppress_mfa(seconds) relative
            if {$static::AMIADEV_Cookie_debug } {log local0. "cookie expires in $static::suppress_mfa(seconds)"}
        HTTP::cookie secure $static::suppress_mfa(cookie) enable
        HTTP::cookie httponly $static::suppress_mfa(cookie) enable
        HTTP::cookie encrypt $static::suppress_mfa(cookie) $static::suppress_mfa(passphrase)
        ACCESS::respond 302 noserver "Location" [ACCESS::session data get session.policy.result.start_uri] "Cache-Control" "no-cache, must-revalidate" Set-Cookie "$static::suppress_mfa(cookie)=[HTTP::cookie $static::suppress_mfa(cookie)];path=/;secure;httponly;Max-age=$static::suppress_mfa(seconds)"
            if {$static::AMIADEV_Cookie_debug } {log local0. "policy completed"}
        foreach aHeader [HTTP::header names] {
			if {$static::AMIADEV_Cookie_debug } {log local0. "$aHeader: [HTTP::header value $aHeader]"}}
        unset sessionauth
		unset taba
        }
 }
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Apr 01, 2021

So the HTTP_RESPONSE event didn't match for the users after the first user?

 

If so this is strange and this as you mentioned did work for older versions. Maybe a bug or change in how the F5 processes packets in the newer versions.

 

 

 

What found is that HTTP_RESPONSE is not triggered for locally generated F5 response and as this is APM, maybe this can be case:

 

https://clouddocs.f5.com/api/irules/HTTP_RESPONSE.html