Forum Discussion

Mike_Ho's avatar
Mike_Ho
Icon for Cirrus rankCirrus
Dec 18, 2012

Use POSTed form data to identify logout action for login enforcement?

Hiya, I'm new to ASM and I've got it running on a shiny new 11.2.0 BigIP.

 

I'm setting up a policy and want to be able to correlate events with logged-on users and their sessions. I believe a good way to do that would be to leverage "login enforcement" using preconfigured login pages and logout pages. I believe those are the triggers for establishing and terminating sessions. Please correct me if I'm wrong.

 

So I've set up a login page with access validation criteria and it works great. I used the URL which is the POST target of a forms-based login page and I see in the logs that the username area is filled in when I log on. Cool!

 

Now I want to configure the logout URL so ASM can know when a session is terminated. All I see is the ability to enter an explicit logoff URL. In my case the application performs logoff via form submission with a logout parameter set. Is there a way to tell ASM to end a session when the logout action is POSTed to a specific URI?

 

 

APM
app sec
security

1 Reply

Sort By
  • rob_carr's avatar
    rob_carr
    Icon for Cirrostratus rankCirrostratus
    Dec 20, 2012
    I'm setting up a policy and want to be able to correlate events with logged-on users and their sessions. I believe a good way to do that would be to leverage "login enforcement" using preconfigured login pages and logout pages. I believe those are the triggers for establishing and terminating sessions. Please correct me if I'm wrong.

     

     

    The ASM isn't really responsible for establishing or terminating sessions between clients and your application; it won't be supplying session IDs/cookies, for example. The login page functionality is more about establishing a relationship between a login page and URL's that should only be reached after login, with an eye to preventing forceful browsing.

     

     

    The ASM has some sort of internal state keeping mechanism, recording which sessions have passed through the login page and how long it has been since the login event (if a timeout is configured). If the session then attaches to the logout URL, that state record is cleared, and any further attempts to go to a protected URL will result in violations. I suspect all of this is transparent to the client and application.