For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

tt-headtech_945's avatar
tt-headtech_945
Icon for Nimbostratus rankNimbostratus
Aug 28, 2009
the URI is not hidden, it is just not there after the redirection.

 

 

example:

 

 

https://sslvpn.example.org/ --> global config with AD-auth

 

https://sslvpn.example.org/project1 --> URI-based customization with second auth-server

 

https://sslvpn.example.org/project2 --> URI-based customization with another different auth-server

 

 

Users receive their correct login via email - they click on the link - the browser goes to the correct URI --> Firpass redirects all to the same URL

 

https://sslvpn.example.org/my.logon.php3

 

and remembers the correct URI / auth-server with cookie.

 

 

At this time the user bookmarks HIS login. (he sees the correct customization)

 

The next time he uses this bookmark he will get to the global configuration with the wrong auth-server and fails login.

 

 

Solution would be if the Firepass keeps the URI during the login-phase or even the whole user-session.