Remove authorization header

Question

Hello guys, &nbsp;
we have an application using APM+LTM websso with basic http authentication, we want to remove http authorization header after the first logon.&nbsp;
Thank You&nbsp;

john_huttley · Answer

Hi,&nbsp;
You would expect that after basic succeeds, the server sets a session cookie to authenticate subsequent requests.&nbsp;
Basic auth is just a header&nbsp;
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l &nbsp;
so you could check for the existance of a session cookie and then  
&nbsp;
HTTP::header remove "Authorization"&nbsp;
https://devcentral.f5.com/wiki/iRules.HTTP__header.ashx&nbsp;
It does seem to be an odd thing to do since the browser should not send "Authorization" unless asked by the server sending &nbsp;
WWW-Authenticate&nbsp;
https://en.wikipedia.org/wiki/Basic_access_authentication&nbsp;
So I think you will break things.&nbsp;
-John&nbsp;

Forum Discussion

Remove authorization header

Recent Discussions

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Submenus missing in ASM Security Tab

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Related Content

iRule to Remove Duplicate Header by Value

Remove X- Headers From Web Server Response

Remove the "Server" header

Resolve Citrix Secure Ticket Authority (STA)

ASM irule to disable attack signature authorization header with specific value

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS