iRule to store cookie in table

Question

Hi,&nbsp;
I am really iRule novice and so any advice, pointing in right direction will be of great help for me. I am short on time and have to create iRule with following logic:&nbsp;
Service behind F5 is doing kind of authenticationIf user succeed cookie is creatediRule should monitor HTTP_RESPONSE for presence of this cookie for specific URIWhen detected in Set-Cookie header entry in session table should be created (with set lifetime like 2400s - counter updates should not extend lifetime of this entry) storing cookie valueHTTP_REQUEST should be monitored for presence of above cookieWhen detected lookup in table should be performed (using cookie value?)
If found:

Entry should be checked if it is first occurrence of given cookie value (so this value is detected for first time)
If yes - values from few headers should be added - like User-Agent, first IP from X-Forwarded-For (the one that should be real user IP that initiated connection from Internet), maybe some more, counter should be set to 1If not just counter should be incremented

If not found lookup in separate subtable (like false_cookie, indefinite lifetime) should be performed
If entry found counter should be incrementedIf not found new entry should be created using cookie value as a key?Connection should be dropped. Optionally sorry page displayed

Well, that is my idea but maybe I am missing something or there is better way. Main goal is to drop all HTTP request (POST operation using specific URI) that do not contain valid cookie. Plus collecting stats about how many illegitimate attempts to perform POST to this UIR were issued.&nbsp;
Hope it makes sense, will appreciate a lot any help,&nbsp;
Piotr&nbsp;

brad_parker · Answer

I would suggest using APM for this rather than an LTM iRule.  APM should be able to provide all of your request out of the box.&nbsp;

dragonflymr · Answer

Hi,&nbsp;
Unfortunately APM is not an option right now. Maybe in the future but time frame is to tight :-(&nbsp;
I started some work but it's going quite slow :-(&nbsp;
Piotr&nbsp;

brad_parker · Answer

The part about your proposed rule that may be challenging is all the additional info you want to store in the table. What will you do with that info? If you don't plan on using it or logging it, its really a waste of memory space. Also, remember the table command is just a hash table(key value pair) so saving all that additional info about the user won't be in the same record that you want to increment. I would suggest the storage of all the info be done with High Speed Logging off box and just use the logic of deciding if a users has the required cookie to hit the URI to block connections. That may help much more with historical research while at the same time lessening the memory and CPU load of the iRule.

stanislas_piro2 · Answer

You can try with this irule (not tested) to begin...
when HTTP_REQUEST {
    switch [HTTP::path] {
        "/img/logo.png" -
        "every-file-used-in-auth-page" -
        "/login.php" {
            return
        }
        default {
            if {([HTTP::cookie exists "mycookie"]) &amp;&amp; ([table lookup -subtable "authent" [HTTP::cookie value mycookie]] != "")} {
                return
            } else {reject}
        }
    }
}

when HTTP_RESPONSE {
  if { [HTTP::cookie exists "mycookie"] } { table add -subtable "authent" [HTTP::cookie value mycookie] "logged" indef 2400
 }
}

dragonflymr · Answer

Hi,&nbsp;
Thanks a lot for help. Good point about difficulty of storing multiple values in table. Maybe if I explain issue better you can advice some better solution.&nbsp;
Authentication cookie is set by another system than session cookie. I need to find efficient way to glue together such values:&nbsp;
User-Agent
X-Forwarded-For (real client IP should be extracted in case there were few intermediary proxies on the path to BIG-IP)
ASP.NET_SessionId&nbsp;
So in the end when specific URI will be requested (or optionally when POST to specific URI will be performed) it can be easy to verify if for given authentication cookie all above variables are identical as the ones when authentication cookie was send.&nbsp;
So when request to authentication URI is issued by new client I am collecting:
User-Agent
X-Forwarded-For
ASP.NET_SessionId (already set during previous requests by application server)&nbsp;
Then when response after successful authentication is send with Set-Cookie setting my auth cookie it's recorded along mentioned variables.&nbsp;
Then when request to URI that can only be accessed by request with valid auth cookie arrives I can easily lookup if auth cookie and all mentioned varaibles are identical as at the time when auth cookie was issued.&nbsp;
I suspect that it can be done creating key that is composed from all those elements (with no stored)?&nbsp;
Or maybe it's better to use my auth cookie as key and store mentioned variables (as one string) in value&nbsp;
Then I am doing lookup, if entry exist I am comparing request provided values with ones stored in value?&nbsp;
Piotr&nbsp;

Forum Discussion

iRule to store cookie in table

6 Replies

Recent Discussions

How to target only webview rendering with CSS?

ltm policy asm_auto_l7_policy

MAC address not showing up in LLDP packet

F5Access | MacOS Sonoma

Active- Active HA setup

Related Content

iRule to take cookie from HTTP Response into HTTP Request via table

Decoding the IPv4 address from the persistence cookie

Re: SYN Cookie operation

1. SYN Cookie: Intro

Complete MFA solution with GA stored in Active Directory