For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Vinne73's avatar
Vinne73
Icon for Cirrus rankCirrus
Dec 04, 2014

Problem with detecting form: why use headers on HTTP_REQUEST, and not on HTTP_RESPONSE

Hi,

 

I'm trying to recognise/detect a login form on the back-end application. There is no unique login URI and sometimes the client has a cookie while the back-end asks to log in again.

 

I have found that the back-end application supplies a HTTP header with the response ("RespondingWithSignonPage"), indicating that a login is required.

 

Now, I want to enter this into my Form - Client Initiated, Form Detection. I select Header, enter "RespondingWithSignonPage". It doesn't work. Then I read the documentation, and it appears that this relates to headers sent by the client (HTTP_REQUEST), not during the response.

 

Is my assumption correct? Why would it be like that? How can I detect a form based on the cookies and headers of the client? Seems like they got it reversed?

 

Thank you Vincent

 

BIG-IP Access Policy Manager (APM)
deployment
security

2 Replies

  • Belanger__Yves's avatar
    Belanger__Yves
    Icon for Altostratus rankAltostratus
    Aug 01, 2016

    Hi,

     

    I think I found a simpler solution. I use the advance option request negative for the session cookie.

     

    Thanks Yves