For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Carl_Gottlieb_1's avatar
Carl_Gottlieb_1
Icon for Nimbostratus rankNimbostratus
Nov 09, 2010

Replay Attack prevention for HTTP Post of Auth details

Hi, I have an application (let's call it website 1) which users log into using a username and password. Once logged in the app sends back a simple landing page with some links, and in hidden fields it...
application delivery
dev
devops
iRules
JRahm's avatar
JRahm
Icon for Admin rankAdmin
Nov 10, 2010
This is totally doable. You'd need to have an iRule on each virtual. First virtual iRule would collect payload and search/replace the user/password. Take the username/password, hash it, send the hash to the user in an encrypted cookie and store the credentials in the session table locally. The second virtual's iRule would then lookup the hash in the session table, format the request with the username/password in appropriate fields for the request, then delete the session table entry. No entry, no replay. Obviously, there is work to do on your part, but there is a solution, and if you get stuck, post back.