Forum Discussion
5 Replies
are you using the ASM module?
- yosry92_331999Nimbostratus
yes
- Jeff_Maddox_394Historic F5 Account
Does the password page only get presented with a valid username, or does it accept any username and then presents the credential pair with the submit action on the password page?
- youssef1Cumulonimbus
Hello,
I used this kind of deployment in an Identity fédération (SAML). I asked first Username for IDP discovery in order to fw user on the idp he is attached to... Then I asked Password.
I tried to do it with the ASM without success (I'm not sure that's possible on 2 different context with asm) and finally I did it with the apm: with localDB lockout... Are you using apm ?
regards,
- Stanislas_Piro2Cumulonimbus
Hi,
You can try code like this (not tested)
it capture username in the first request, then store it for next request.
when the user send the password, it insert the username in the payload to allow ASM burteforce protection.
when ASM allowed the request, replace the payload by the previous one (in HTTP_REQUEST_SEND event)
when HTTP_REQUEST { if {[HTTP::uri] equals "/login"} { replace the cookie name by the application cookie used to follow the session set key [HTTP::cookie value mycookie] if {[HTTP::header exists "Content-Length"] && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } Check if $content_length is not set to 0 if {($content_length > 0)} { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { if {[set username [URI::query "?[HTTP::payload]" username]] ne ""} { table set -subtable BruteForceProtection $key $username 300 900 } elseif {[set username [URI::query "?[HTTP::payload]" password]] ne ""} { set username [table lifetime -subtable BruteForceProtection -remaining $key] set payload [HTTP::payload] HTTP::payload replace 0 [HTTP::payload length] "$payload&username=$username" set plength [HTTP::payload length] HTTP::release } } when HTTP_REQUEST_SEND { if {[info exists $payload]} { HTTP::payload replace 0 $plength "$payload" unset payload } }