F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

f5rocks_86658's avatar
f5rocks_86658
Icon for Nimbostratus rankNimbostratus
Jun 01, 2016

Need to allow request only if application opens from parent portal

Dear Experts,   Please suggest with an iRule, where application access only to be allowed if app is being accessed from authenticated portal only. Referer header can be checked on first request. H...
iRules
security
Yann_Desmarest_'s avatar
Yann_Desmarest_
Icon for Nacreous rankNacreous
Jun 01, 2016

Hi,

You can use ASM module to force url access through a specific workflow "URL Flow".

You can use APM and extend the session cookie domain to fit both apps. Then, with an irule, you can check for valid session and grant access or deny/redirect user.

Not sure if this is good in terms of security but you can use an irule to identify the referer and provide a cookie, here is the logic :

when HTTP_REQUEST {
    set insert_cookie 0
    if { !([HTTP::cookie exists MRH]) } {
        reject
    }
    if { [HTTP::header Referer] eq "https://myportal.com/index.html" } {
        set insert_cookie 1
    }
}

when HTTP_RESPONSE {
    if { [info exists insert_cookie] and $insert_cookie == 1 } {
        HTTP::cookie insert MRH value "some verifiable encrypted string"
    }
}

That's the concept, then you should then add some security around the cookie value generation

spalande's avatar
spalande
Icon for Nacreous rankNacreous
Jun 01, 2016
Thanks Yann for the response. will above iRule add MRH cookie in all subsequent requests of (VIP2) or only initial requests from the authenticated portal? Only initial request will have referer header I need to allow only request is coming from authenticated portal (VIP1). VIP1 is having form based authentication and doesn't have APM configured. I have ASM module running as well. Will that be also helpful in my case?