Forum Discussion

umiotoko_95283's avatar
Icon for Nimbostratus rankNimbostratus
Sep 21, 2011

X-Authenticated-User field

Probably a stooopid question, but I can't seem to find detailed documentation on this.




I host a SSL website that our users have to log into, through APM with a LDAP call to AD. With the iRule logic below, i pass the username to an application that uses AD groups to decide what a user can see or do.






HTTP::header insert "X-Authenticated-User" [ACCESS::session data get session.logon.last.username ]






A sufficiently smart user could attempt to elevate themselves by using a valid login, then attempt to manually populate the X-A-U field with a higher privilege username.




My questions:




1. Does F5 APM/LTM automatically wipe the X-A-U header ? Or should my iRule do this manually ?




2. If the user attempted to populate this header from an external request, would I ever end up with duplicate headers (one from the user and one from F5) ?




Thanks !




1 Reply

  • Brian_Deitch_11's avatar
    Historic F5 Account
    1. I don't think so. You should do this within your irule.

    2. You will have duplicates.

    Try this:

      if { [HTTP::header exists X-Authenticated-User] {
          HTTP:header remove X-Authnticated-User
        HTTP::header insert "X-Authenticated-User"  [ACCESS::session data get session.logon.last.username ]