Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology

answers

Use POSTed form data to identify logout action for login enforcement?

Updated 12/18/2012 • Originally posted on 18-Dec-2012 by Michael 309

Hiya, I'm new to ASM and I've got it running on a shiny new 11.2.0 BigIP.

I'm setting up a policy and want to be able to correlate events with logged-on users and their sessions.  I believe a good way to do that would be to leverage "login enforcement" using preconfigured login pages and logout pages.  I believe those are the triggers for establishing and terminating sessions.  Please correct me if I'm wrong.

So I've set up a login page with access validation criteria and it works great.  I used the URL which is the POST target of a forms-based login page and I see in the logs that the username area is filled in when I log on.  Cool!

Now I want to configure the logout URL so ASM can know when a session is terminated.  All I see is the ability to enter an explicit logoff URL.  In my case the application performs logoff via form submission with a logout parameter set.  Is there a way to tell ASM to end a session when the logout action is POSTed to a specific URI?

 

0
Rate this Question

Answers to this Question

1 Answers:

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Updated 19-Dec-2012 • Originally posted on 19-Dec-2012 by rob_carr 383
I'm setting up a policy and want to be able to correlate events with logged-on users and their sessions. I believe a good way to do that would be to leverage "login enforcement" using preconfigured login pages and logout pages. I believe those are the triggers for establishing and terminating sessions. Please correct me if I'm wrong.


The ASM isn't really responsible for establishing or terminating sessions between clients and your application; it won't be supplying session IDs/cookies, for example. The login page functionality is more about establishing a relationship between a login page and URL's that should only be reached after login, with an eye to preventing forceful browsing.

The ASM has some sort of internal state keeping mechanism, recording which sessions have passed through the login page and how long it has been since the login event (if a timeout is configured). If the session then attaches to the logout URL, that state record is cleared, and any further attempts to go to a protected URL will result in violations. I suspect all of this is transparent to the client and application.
0
;