Manual Chapter : Creating Login Pages for Secure Application Access

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

About creating login pages

Your web application may contain URLs that should be accessed only through other URLs. For example, in an online banking application, account holders should be able to access their account information only by logging on through a login screen first. In your security policy, you can create login URLs to limit access to authenticated URLs.

A login page is a URL in a web application that requests must pass through to get to the authenticated URLs. Use login pages, for example, to prevent forceful browsing of restricted parts of the web application, by defining access permissions for users. Login pages also allow session tracking of user sessions.

Authenticated URLs are URLs that become accessible to users only after they successfully log in to the login URL. A logout URL is a URL that, if accessed, forces users to return to the login URL before re-accessing authenticated URLs. System administrators use these special URLs to prevent forceful browsing by causing users to pass through the login URL before viewing the restricted authenticated URLs.

Creating login pages

In your security policy, you can create a login page to specify a login URL that presents a site that users must pass through to gain access to the web application. The login URL commonly leads to the login page of the web application.
  1. On the Main tab, click Security > Application Security > Sessions and Logins. The Login Pages List screen opens.
  2. In the Current edited policy list near the top of the screen, verify that the edited security policy is the one you want to work on.
  3. Click Create. The New Login Page screen opens.
  4. For the Login URL setting, specify a URL that users must pass through to get to the application.
    1. From the list, select the type of URL: Explicit or Wildcard.
    2. Select either HTTP or HTTPS based on the type of traffic the web application accepts.
    3. Type an explicit URL or wildcard expression in the field. When you click in the field, the system lists URLs that it has seen, and you can select a URL from the list. Or, you can type explicit URLs in the format /login, and wildcard URLs without the slash, such as *.php.
  5. From the Authentication Type list, select the method the web server uses to authenticate the login URL's credentials with a web user.
    Option Description
    None The web server does not authenticate users trying to access the web application through the login URL. This is the default setting.
    HTML Form The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.
    HTTP Basic Authentication The user name and password are transmitted in Base64 and stored on the server in plain text.
    HTTP Digest Authentication The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.
    NTLM Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.
  6. In the Access Validation area, define at least one validation criteria for the login page response. If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL.
    Note: The system checks the access validation criteria on the response of the login URL only if the response has one of the following content-types: text/html, text/xml, application/sgml, application/xml, application/html, application/xhtml, application/x-asp, and application/x-aspx.
  7. Click Create to add the login page to the security policy. The new login page is added to the login pages list.
  8. Add as many login pages as needed for your web application.
  9. In the editing context area, click Apply Policy to put the changes into effect.
The security policy now has one or more login pages associated with it.
You can now configure how the login pages are enforced, including the authentication URLs, logout URLs, and whether or not the login pages have time limits.

Login page access validation criteria

Following are descriptions of the access validation criteria for the response to the login URL. You configure one or more of these validations when defining a login page.

Access validation Define in login page as
A string that should appear in the response A string that must appear in the response for the system to allow the user to access the authenticated URL; for example, Successful Login.
A string that should NOT appear in the response A string that indicates a failed login attempt and prohibits user access to the authenticated URL; for example, Authentication failed.
Expected HTTP response status code An HTTP response code that the server must return to the user to allow access to the authenticated URL; for example, 200.
Expected validation header name and value (for example, Location header) A header name and value that the response to the login URL must match to permit user access to the authenticated URL.
Expected validation domain cookie name A defined domain cookie name that the response to the login URL must match to permit user access to the authenticated URL.
Expected parameter name (added to URI links in the response) A parameter that must exist in the login URL’s HTML body to allow access to the authenticated URL.

Enforcing login pages

Login enforcement settings prevent forceful browsing attacks where attackers gain access to restricted parts of the web application by supplying a URL directly. You can use login enforcement to force users to pass through one URL (known as the login URL) before being allowed to display a different URL (known as the target URL) where they can access restricted pages and resources. Login enforcement settings specify how the security policy enforces login pages including the expiration time, authenticated URLs, and logout URLs. You can also use authenticated URLs to enforce idle time-outs on applications that are missing this functionality.
  1. On the Main tab, click Security > Application Security > Sessions and Logins > Login Enforcement. The Login Enforcement screen opens.
  2. If you want the login URL to be valid for a limited time, set Expiration Time to Enabled, and type a value, in seconds.
  3. For the Authenticated URLs setting, specify the target URLs that users can access only by way of the login URL:
    1. In the Authenticated URLs field, type the target URL name in the format /private.php (wildcards are allowed).
    2. Click Add to add the URL to the list of authenticated URLs.
    3. Repeat to add as many authenticated URLs as needed.
  4. Optionally, use the Logout URLs setting to specify the URLs used to log out of the web application:
    1. In the Logout URLs field, type the URL in the format /logout.html (explicit URLs only).
    2. Click Add.
    3. Repeat to add as many logout URLs as needed.
  5. Click Save to save your settings.
  6. To put the security policy changes into effect immediately, click Apply Policy.
If you specify authenticated URLs and a user tries to bypass them, the system issues the Login URL bypassed violation. If a user session is idle and exceeds the expiration time, the system now issues the Login URL expired violation, and the user can no longer reach the authenticated URLs. For both login violations, if the enforcement mode is blocking, the system now sends the Login Page Response to the client (see Application Security > Blocking > Response Pages).