Client Auth Using HTTP Cookie

Problem this snippet solves:

This is an example using HTTP cookie for authentication. If authentication is successful, a cookie will be sent to client. If next time, the AUTH cookie is present and valid, client will be passed immediately without being checked with AAA server. The cookie name, password, domain should be properly modified by user. This rule is for radius AUTH. If replacing radius with ldap or tacacs, it works too.

Code :

when CLIENT_ACCEPTED {
set authinsck 0
set forceauth 1
set ckname BIGXAUTH
set ckpass 1xxx5678
set ckvalue [IP::client_addr]
set ckdomain .y.z
set asid [AUTH::start pam default_radius]
}
when HTTP_REQUEST {
if {[HTTP::cookie exists $ckname]} {
HTTP::cookie decrypt $ckname $ckpass 128
if {[HTTP::cookie value $ckname] eq $ckvalue} {
set forceauth 0
}
HTTP::cookie remove $ckname
}
if {$forceauth eq 1} {
AUTH::username_credential $asid [HTTP::username]
AUTH::password_credential $asid [HTTP::password]
AUTH::authenticate $asid
HTTP::collect
}
}
when HTTP_RESPONSE {
if {$authinsck eq 1} {
HTTP::cookie insert name $ckname value $ckvalue path / domain $ckdomain
HTTP::cookie secure $ckname enable
HTTP::cookie encrypt $ckname $ckpass 128
}
}
when AUTH_SUCCESS {
if {$asid eq [AUTH::last_event_session_id]} {
set authinsck 1
HTTP::release
}
}
when AUTH_FAILURE {
   if {$asid eq [AUTH::last_event_session_id]} {
   HTTP::respond 401 "WWW-Authenticate" "Basic realm=\"\""
   }
}
when AUTH_WANTCREDENTIAL {
   if {$asid eq [AUTH::last_event_session_id]} {
   HTTP::respond 401 "WWW-Authenticate" "Basic realm=\"\""
   }
}
when AUTH_ERROR {
   if {$asid eq [AUTH::last_event_session_id]} {
HTTP::respond 401
   }
}
Published Mar 16, 2015
Version 1.0
application delivery
devops
iRules
security

Was this article helpful?

4 Comments

Sort By
  • swo0sh_gt_13163's avatar
    swo0sh_gt_13163
    Icon for Altostratus rankAltostratus
    Mar 07, 2016
    Can I make it working with Local Database? I mean configuring Data group with Username and Password hash? If yes, any examples? Thank you!
  • Tosin_Omojola's avatar
    Tosin_Omojola
    Icon for Altostratus rankAltostratus
    Aug 11, 2016

    I have an application which has a link to BIGIP on its webtop. When the BIGIP app link is clicked on the webtop, I want BIGIP to verify user session coming from there before passing it on to the servers its loadbalancing.

     

    If the user is not authenticated, he should be redirected to the login page otherwise, grant access to the resource.

     

    Please How can I achieve that with this code snippet or other? Thanks

     

  • Habib_Ulla_Khan's avatar
    Habib_Ulla_Khan
    Icon for Nimbostratus rankNimbostratus
    May 09, 2017

    I have a VIP (no apm). this is application used in ipad. Once user logins to ipad he gets buttons to navigate to different application (which are vip with APM). As user is already logged into main application. Anytime he clicks on buttons (links to different application), he should get cookie authentication. Where will i apply this irule.. Should i apply on main VIP or applications which are referred as buttons.