X-Authenticated-User field

Question

Probably a stooopid question, but I can't seem to find detailed documentation on this.&nbsp;

&nbsp;
&nbsp;
I host a SSL website that our users have to log into, through APM with a LDAP call to AD.  With the iRule logic below, i pass the username to an application that uses AD groups to decide what a user can see or do.&nbsp;

&nbsp;
&nbsp;
when ACCESS_ACL_ALLOWED {&nbsp;
  HTTP::header insert "X-Authenticated-User"  [ACCESS::session data get session.logon.last.username ]&nbsp;
}&nbsp;

&nbsp;
&nbsp;
A sufficiently smart user could attempt to elevate themselves by using a valid login, then attempt to manually populate the X-A-U field with a higher privilege username.&nbsp;

&nbsp;
&nbsp;

My questions:
&nbsp;

&nbsp;
&nbsp;
1. Does F5 APM/LTM automatically wipe the X-A-U header ?  Or should my iRule do this manually ?&nbsp;

&nbsp;
&nbsp;
2. If the user attempted to populate this header from an external request, would I ever end up with duplicate headers (one from the user and one from F5) ?&nbsp;

&nbsp;
&nbsp;
Thanks !&nbsp;

&nbsp;
&nbsp;

brian_deitch_11 · Answer

1. I don't think so. You should do this within your irule. 
 2. You will have duplicates. 
 Try this: when ACCESS_ACL_ALLOWED {
  if { [HTTP::header exists X-Authenticated-User] {
      HTTP:header remove X-Authnticated-User
    HTTP::header insert "X-Authenticated-User"  [ACCESS::session data get session.logon.last.username ]
}

Forum Discussion

Win Big in Vegas: The iRules Contest is back with $5k on the line at AppWorld 2026

Jürgen - February 2026 Featured Member

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

DNS topology not distributing as expected

Unable to Forward APM and AFM Logs to AWS CloudWatch Using Telemetry Streaming

which virtual server will be hit?

Questions on device trust

Restore configuration to GTM Sync Group device

Related Content

What is HTML Field Obfuscation?

Net Trunk API Status Field Missing

Request logging: some fields not recorded

XML Field Logger Using HTTP Commands

irule reject request when payload field is null