Suppress MFA for a period of time
Problem this snippet solves: This code snippet can be used if you want to suppress MFA for a period of time. This solution uses an encrypted persistent cookie, that will be set at a successful MFA l...
Published Jul 16, 2019
Version 1.0
wbrowne
Altostratus
AltostratusI had this working perfectly until the 14.1.4 upgrade. When I got f5 support involve they said it is because of the way the new version treats the http::respond. The cookie will create one time for the first person who logs in. However no one else will get the cookie. When I put logging in on the when HTTP_RESPONSE it seems like the f5 is responding correctly with and creating the cookie for that first user because I see this in the log
<HTTP_RESPONSE>: Server: Apache
but then every time after the actual IIS web server of the pool member seems to be responding
HTTP Request Headers: Server: Microsoft-IIS/10.0
and then it looks like it responds twice. They suggested I needed an HTTP::close. That did seem to help for the first user as when the cookie expired and after the next login the cookie was created for that user. But only if he was using the same browser. I also noticed I can repeat the process if I force the active to standby and try again. The first person to login will get the cookie but no on else. I attached 2 examples of the logs created. Is anyone else on version 14.1.4 and experiencing this issue?
when HTTP_RESPONSE {
# if table shoud be set then take record of the ClientIP and set encrytped cookie
if { [ACCESS::session data get session.custom.suppressmfa.setauthtable] == 1 } {
table set tab_amia:[IP::client_addr] Authed $static::suppress_mfa(seconds)
}
HTTP::cookie insert name $static::suppress_mfa(cookie) value $static::suppress_mfa(value) path "/"
if {$static::AMIADEV_Cookie_debug } {log local0. "cookie $static::suppress_mfa(cookie) set for $static::suppress_mfa(seconds)"}
HTTP::cookie expires $static::suppress_mfa(cookie) $static::suppress_mfa(seconds) relative
if {$static::AMIADEV_Cookie_debug } {log local0. "cookie expires in $static::suppress_mfa(seconds)"}
HTTP::cookie secure $static::suppress_mfa(cookie) enable
HTTP::cookie httponly $static::suppress_mfa(cookie) enable
HTTP::cookie encrypt $static::suppress_mfa(cookie) $static::suppress_mfa(passphrase)
HTTP::header "Cache-Control" "max-age=$static::suppress_mfa(seconds)"
HTTP::close
foreach aHeader [HTTP::header names] {
if {$static::AMIADEV_Cookie_debug } {log local0. "HTTP Request Headers: $aHeader: [HTTP::header value $aHeader]"}}
ACCESS::session data set session.custom.suppressmfa.setauthtable 0
}
}