Forum Discussion

samdlee_305622's avatar
samdlee_305622
Icon for Nimbostratus rankNimbostratus
Dec 10, 2018

[ACCESS::user getsid key]

Hi,

With reference to the documentation for Access::user

ACCESS::user getsid 
Returns the list of created external SIDs which is associated with the specified key

I am wondering:

  1. what those valid specified keys could be?
  2. who has created those external SIDs by when
  3. is the word "external" related to the "Internal", i.e. 5dfd546f.session.key?
  4. what's the subtle difference between between ACCESS::uuid and ACCESS::user getsid ?
  5. under which situations man could have many external SIDs associated with one single key

Thanks in advance

3 Replies

  • It seems that if man could catch a hold of the right key, man could retrieve the APM session cookie for another APM session

     

    set apm_cookie_list [ACCESS::user getsid $the_guessed_user_key]
    set apm_cookie [ACCESS::user getkey [lindex $apm_cookie_list 0]]
    

    it will be really appreciated if F5 experts could explain in details on how the external SIDs are associated with such a key and what is the name convention or requirements for that key and who comes out with such a key? Should the key contain something closely related with that concerned session, such as hashed password? How does F5 internally avoid collision for those keys across APM sessions? is it the internal session variable session.user.uuid that holds the value for the specified key?

     

    @Kevin Stewart could you please shed the light on it?

     

  • Hi,

     

    If you didn’t change user key , default value is this code

     

    set apm_uuid "[PROFILE::access name].[ACCESS::session data get session.logon.last.username]"

    But you can change it like in this code

     

    when RULE_INIT {
       set static::Basic_Realm_Text "Authentication Required"
    }
    when HTTP_REQUEST {
        if { ! [ info exists SP_PROFILE_RESTRICT_SINGLE_IP ] } {
            set SP_PROFILE_RESTRICT_SINGLE_IP        [PROFILE::access restrict_to_single_client_ip]
        } 
        if { ( [set sessionid [HTTP::cookie value "MRHSession"]] ne "" ) and ( [ACCESS::session exists -state_allow $sessionid] ) } then {
             Allow the successfully pre authenticated request to pass
            return
        } else {
            if { [ string match -nocase {basic *} [HTTP::header Authorization] ] == 1 } {
                set clientless(insert_mode) 1
                set clientless(src_ip)      [IP::remote_addr]
                set clientless(username)    [ string tolower [HTTP::username] ]
                set clientless(password)    [HTTP::password]
                if { $SP_PROFILE_RESTRICT_SINGLE_IP == 0 } {
                    binary scan [md5 "$clientless(password)"] H* clientless(hash)
                } else {
                    binary scan [md5 "$clientless(password)$clientless(src_ip)"] H* clientless(hash)
                }
                set user_key "$clientless(username).$clientless(hash)"
                set clientless(cookie_list)             [ ACCESS::user getsid $user_key ]
                if { [ llength $clientless(cookie_list) ] != 0 } {
                   set clientless(cookie) [ ACCESS::user getkey [ lindex $clientless(cookie_list) 0 ] ]
                   if { $clientless(cookie) != "" } {
                      HTTP::cookie insert name MRHSession value $clientless(cookie)
                      set clientless(insert_mode) 0
                   }
               }
               if { $clientless(insert_mode) } {
                   HTTP::header insert "clientless-mode" 1
                   HTTP::header insert "username" $clientless(username)
                   HTTP::header insert "password" $clientless(password)
               }
               unset clientless
            }
        }
    }
    
    when ACCESS_SESSION_STARTED {
        if { [ info exists user_key ] } {
            ACCESS::session data set "session.user.uuid" $user_key
        }
    }
    
    when ACCESS_POLICY_COMPLETED {
        if { ([info exists "clientless_mode"]) && ($clientless_mode) && ([ACCESS::policy result] equals "deny") } {
            ACCESS::respond 401 noserver WWW-Authenticate "Basic realm=\"$static::Basic_Realm_Text\"" Connection close
            ACCESS::session remove
        } 
    }