Forum Discussion

KD_48848's avatar
KD_48848
Icon for Nimbostratus rankNimbostratus
Sep 10, 2008

iRule to match http referer to be Null

Currently www.abc.com/login.html is getting redirected to www.abc.com/private/login.html as per the code.

 

 

www.abc.com/private/login.html has header referer enabled and set is to www.abc.com/login.html

 

 

We have one authentication server in between which matches "/private/" in the uri and if matches the keyword 'private' then it will skip the authentication process.

 

 

So if request are coming directly to www.abc.com/private/login.html, it is not authenticating with the authentication server.

 

 

We need to place a redirect where it will match the http referer as null and will only then redirect to "www.abc.com/login.html", which again as per the code will authenticate with the authentication server and will finally redirect to "www.abc.com/private/login.html

 

 

Any one has any idea on how to achieve this.

 

 

Thanks in advance.

 

 

 

Thanks,

 

KD.
application delivery
dev
devops
iRules

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 10, 2008
    Hi,

     

     

    I'm pretty sure that the server cannot influence what the client's browser sets as the referer header in requests. The browser generates the referer header value based on the link that the client accessed to generate the current request. Check RFC 2616 section 14.36 for details.

     

     

    As the referer header and any other unencrypted HTTP header can be arbitrarily set by a malicious user, it's not a great idea to depend on this for access control. It would be much more secure to fix the application's authentication/authorization or potentially set an encrypted cookie when a client logs in and validate that on subsequent requests.

     

     

    Aaron