help on iRule

Question

Client PC connects using existing https lin and is directed to our authentication module , this in turn authenticates the user, creates a token for that user session in our application DB and sends another redirect url with a token back to client PC.
Client PC uses this https redirect url with token and this in turn triggers our Infocenter application allows login and invalidates the token. &nbsp;
Now issue is token which is part of the GET method in the url could be prone to a sniffing / MITM attack and hence used by someone else to login. &nbsp;
Can iRule be written where response F5 sends response to client, token will get encrypted or hidden in URL?&nbsp;

what_lies_bene1 · Answer

Hmmm, that shouldn't be possible if you are using HTTPS. As its in the URL and not compressed you are also NOT vulnerable to CRIME or BEAST which is good. &nbsp;
If you did encrypt or mask it, this wouldn't help as the MITM could just sniff that and use that instead. Likewise, if you put it in a cookie and encrypted that, the encrypted cookie could just be replayed.&nbsp;
In this instance you are probably better off ensuring your TLS configuration is highly secure.&nbsp;

sanjayp · Answer

Thanks Steve. By any chance do you have iRule to mask the token in response from F5 to the client?
 token will be added in URL..&nbsp;

Forum Discussion

help on iRule

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Need advise to setup a policy on F5

F5 Rseries R2600 Tenant sizing

Can iRule mask the payload content on event logs of security

Related Content

iRULE regsub error

owa iapp assign irule

Irule Trigger two times

iRule assistance for subfolder redirect

IRule to select IRule doesn't work even if the condition triggers