APM: Insert a cookie on a HTTP Response inside apm flow

Question

Hi all,
this is the situation: I'm performing a simple authentication on an Oracle LDAP by APM, in case of password expiration I configured an endig that redirect on an external change password page. I need to send to this page, and so to the user, a cookie (or a header, it doesn't matter) with the user name of the user that made login.
I've tried with an iRule on HTTP Response event but it doesn't seems to be triggered when the ending of the apm flow is a redirect.
This is the simple iRule that I used:
when HTTP_RESPONSE {
        log local0. "Inserisco il cookie con il nome utente" 
        HTTP::cookie insert name "user" value "Pippo"
}

I can't see log on ltm, so I imagined that in case of redirect I don't exit from APM, so I tried to insert an iRule on ACCESS_POLICY_AGENT_EVENT:
when ACCESS_POLICY_AGENT_EVENT {
HTTP::cookie insert name "user" value "pippo"
log local0. "INSERTUSER: Sto inserendo il cookie"
}

But still nothing....
Can you help me?
Cristian

kunjan · Answer

Are you able to use ACCESS_POLICY_COMPLETED event with ACCESS::respond?&nbsp;
https://devcentral.f5.com/wiki/iRules.ACCESS__respond.ashx&nbsp;

cri · Answer

I'tried this event this afternoon: the event is correctly triggered but it seems to work server side, not client side, I can't see set-cookie instruction in response.
I wonder if I'm able to operate client side in this "particular" situation...&nbsp;

cody_green · Answer

Hi Cristian, &nbsp;
Another option would be to use the pool select option in the APM VPE versus redirecting the user.  This would switch the resource pool to the change password server and you could then use a WebSSO method to provide the username to the backend application. Once the user updates their password you would issue a log off event and have them log in with their new credentials. &nbsp;
The advantage to this over the redirect is that any username in the cookie, POST header, or GET URI could be intercepted and modified.  With this option you can use the multifactor authentication capabilities of APM and send a one time password to the user that must be verified before they can access the change password site.&nbsp;
Just a thought...&nbsp;
Cody  &nbsp;

cri · Answer

Hi Cody,
really an interesting solution! To adopt it I have to change some iRule because the server that hosts the change password page need to be called with a specific host header and using pool selection method user doesn't change the host context.
At the moment I implemented an easy solution that pass username in uri, modifying redirect ending in this way:
{session.logon.last.username}
I don't like this solution because of http encoding could change the value of username in case of it includes special characters so I'm driving to test your suggestion asap. I'll let you know if it works, thank you for your help!
Cristian

Forum Discussion

APM: Insert a cookie on a HTTP Response inside apm flow

4 Replies

Recent Discussions

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

About IPI check ip list

Cookie Violation - Expired TimeStamp.

CGNAT with DS-lite and LSN

Related Content

iRule to take cookie from HTTP Response into HTTP Request via table

Introduction of Incident Response

custom response page for api

Decoding the IPv4 address from the persistence cookie

Insert Content Into Server Response