Use POSTed form data to identify logout action for login enforcement?

Cirrostratus

Dec 20, 2012

I'm setting up a policy and want to be able to correlate events with logged-on users and their sessions. I believe a good way to do that would be to leverage "login enforcement" using preconfigured login pages and logout pages. I believe those are the triggers for establishing and terminating sessions. Please correct me if I'm wrong.

The ASM isn't really responsible for establishing or terminating sessions between clients and your application; it won't be supplying session IDs/cookies, for example. The login page functionality is more about establishing a relationship between a login page and URL's that should only be reached after login, with an eye to preventing forceful browsing.

The ASM has some sort of internal state keeping mechanism, recording which sessions have passed through the login page and how long it has been since the login event (if a timeout is configured). If the session then attaches to the logout URL, that state record is cleared, and any further attempts to go to a protected URL will result in violations. I suspect all of this is transparent to the client and application.

Forum Discussion

Use POSTed form data to identify logout action for login enforcement?

Recent Discussions

Telemetry streaming to Elasticsearch

Portal Access to HTTPS resources slow

Provisioning r2600 equipment

Could not connect to SMTP host.

Block CBC

Related Content

BoT Defense Profile, Signature Enforcement

Can't identify cookie

Adaptive Apps: Identify underlying issues in a complex app portfolio - Demo Kit

Enforce RFC Compliance option in http profile

Unique Identifier for irules Http response