Cant get apm secure session variable value in Branche Rule

Question

Hi &nbsp;
I'm tringing to compare a OTP-String with the Password Field of my OTP Logon Page, but i can't access the Value of it.&nbsp;
Here is the Compare-Rule:
expr { [mcget {session.user.otp.pw}] == [mcget -secure {session.logon.last.otp}] }&nbsp;
As soon as i switch from "password" to "text" in the Logon Form, it works. So it looks as i cannot access the secure variable. The same Rule worked on the 11.3 Release. Sice the Upgrade to BIG-IP 11.4.0 Build 2384.0 Final it doesn't work anymore. Any Ideas?&nbsp;
Best Regards&nbsp;
sbu&nbsp;

kevin_stewart · Answer

I just tested this in 11.4 and I believe it still works. You must assign the custom variable with the secure flag;
[S] session.custom.otp = expr { "foo" }

And then evaluate both variables with the -secure option:
expr { [mcget -secure {session.custom.otp}] equals [mcget -secure {session.logon.last.password}] }

sbu1 · Answer

Hi
Thanks for your answer, unforunately it does not work for me. I'm setting the first variable within an iRule, and the second one trough a Logon Page. I tried different scenarios with the folowing Results:
iRule: 
ACCESS::session data set session.user.otp.pw "1234"
LogonPage: 
Type:"text" Post Variable Name:"otp" Session Variable Name:"otp"
Compare: expr { [mcget {session.user.otp.pw}] equals [mcget {session.logon.last.otp}] } 
Result: This Scenario does work
iRule: 
ACCESS::session data set session.user.otp.pw "1234"
LogonPage: Type:"password" Post Variable Name:"otp" Session Variable Name:"otp"
Compare: 
expr { [mcget  {session.user.otp.pw}] equals [mcget -secure {session.logon.last.otp}] } 
Result: This Scenario does not work
iRule: 
ACCESS::session data set -secure session.user.otp.pw "1234"
LogonPage: 
Type:"text" Post Variable Name:"otp" Session Variable Name:"otp"
Compare: 
expr { [mcget -secure  {session.user.otp.pw}] equals [mcget {session.logon.last.otp}] } 
Result: This Scenario does not work
iRule: 
ACCESS::session data set -secure session.user.otp.pw "1234"
LogonPage: 
Type:"password" Post Variable Name:"otp" Session Variable Name:"otp"
Compare: 
expr { [mcget -secure  {session.user.otp.pw}] equals [mcget -secure {session.logon.last.otp}] } 
Result: This Scenario does not work
So the only Scenario that works is the one without the "-secure" option. Is there a global Setting witch prevents me to access secure Variables even with the "-secure"-Option? I have no idea why it works for you but not  for me.
Best Regards 
sbu

lucas_thompson_ · Answer

There is a defect in -secure access to session variables in 11.4.0 release, ID 421259.&nbsp;
This is corrected in 11.4.0 HF3. Please update to that version.&nbsp;

sbu1 · Answer

Thanks for your Help. Updating to HF3 did the trick!

Best Regards

sbu

Forum Discussion

Cant get apm secure session variable value in Branche Rule

4 Replies

Recent Discussions

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

About custome Response Blocking Page

About IPI check ip list

Cookie Violation - Expired TimeStamp.

CGNAT with DS-lite and LSN

Related Content

APM Session Variable Logging

APM variable assign examples

iRule variable

Getting Started with iRules: Variables

Ending an APM session when browser tab is closed