For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Isaac_105703's avatar
Isaac_105703
Icon for Nimbostratus rankNimbostratus
Jun 25, 2009

iRule to maintain POST data for redirect

Hi there,   I have a web page that has username/password fields. A "login" button performs a POST of that data to a file on the site (/cgi-bin/login.cgi) for authentication.   I want to forc...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jun 26, 2009
Hi Isaac,

 

 

As you've found, redirecting a POST request triggers the client to make a GET request to the new Location. Any POST data is lost in the process. In terms of LTM configuration, it would probably be easiest to rewrite the response which generates the POST via HTTP so that the POST is made via HTTPS.

 

 

If you are trying to prevent sensitive data from being sent in the clear it's too late by the time the POST request is sent with the login credentials. The data is already being sent in cleartext. Ideally you would try to prevent the HTTP request before it's made. If the response which generates the HTTP request is sent to the client through LTM, you could potentially rewrite it to reference the HTTPS VIP using a stream profile and STREAM::expression iRule (Click here). Or more ideally, you could change the application to reference https instead of http.

 

 

Aaron