Manual Chapter : Creating Login Pages for Secure Application Access

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Creating Login Pages for Secure Application Access

About login pages

Most web applications use login pages as a way to secure the application and authenticate application users. A
login page
specifies the login URL in a web application that users must pass through to get to the authenticated URLs at the heart of the application.
Authenticated URLs
are URLs that become accessible to users only after they successfully log in to the login URL. A
logout URL
is a URL that, if accessed, forces users to return to the login URL before re-accessing authenticated URLs. System administrators use these special URLs to prevent forceful browsing by causing users to pass through the login URL before viewing the restricted authenticated URLs. In addition to specifying the login URL, login pages in the security policy can also enforce access validation by defining access permissions for users.
In Application Security Manager (ASM), security policies use login pages for several features:
  • Login enforcement for secure application access
  • Session awareness
  • Brute force attack prevention
  • Integration with database security
Login enforcement specifies the authenticated URLs and logout URLs for the application. Session awareness provides tracking information of user sessions so that you can investigate suspicious activity and the attacker. Brute force protection prevents hackers from staging multiple attempts to guess user names and passwords so that they can log on to the application. Database security integration can use login pages to provide event notification and user data to a third-party database monitoring system.

About creating login and logout pages

Your web application might contain URLs that should be accessed only through other URLs. For example, in an online banking application, account holders should be able to access their account information only by logging on through a login screen first. You can create login pages manually, or have the system create them automatically.
Application Security Manager (ASM) adds login pages for you automatically if you use certain options. The options are
Detect Login Pages
and
Learn from Responses
in the Learning and Blocking Settings. If you create the security policy automatically using the
Comprehensive
policy template, the system sets these options by default. If you are using
Fundamental
, you can explicitly set these options. These options cause ASM to detect login pages in the web application and add them to the security policy when sufficient legitimate traffic has accessed the application.
You can also create login or logout pages manually by specifying the login or logout URLs used by the application. The same URL can be used as both a login URL and a logout URL.

Creating login pages automatically

Login pages
specify a login URL that presents a site that users must pass through to gain access to the web application. Your existing security policy can detect and create login pages automatically if you use certain options.
If you are creating a security policy automatically and selected
Comprehensive
as the policy template, the default options are already set to create login pages automatically. If you are using the
Fundamental
policy template, the steps here explain the options to configure ASM to automatically detect and create login pages for your application.
For brute force protection to work, ensure that the policy's enforcement mode is set to Blocking. If a policy's enforcement mode is set to Transparent, no brute force mitigation action will be performed.
  1. On the Main tab, click
    Security
    Application Security
    Policy Building
    Learning and Blocking Settings
    .
    The Learning and Blocking Settings screen opens.
  2. Ensure that the
    Learning Mode
    is set to
    Automatic
    .
    The system examines the traffic to the web application, and after processing sufficient legitimate traffic, the system builds the security policy automatically by adding and enforcing elements with minimal manual intervention. A few learning suggestions require your review before they are added.
  3. In the Policy Building Settings area, expand
    Sessions and Logins
    and ensure that
    Brute Force: Maximum login attempts are exceeded
    is enabled for both Alarm and Block.
  4. In the Policy Building Process area, expand
    Options
    and ensure that
    Learn from responses
    is selected.
  5. Click
    Save
    to save your settings.
  6. In the editing context area, click
    Apply Policy
    to put the changes into effect.
The security policy looks for login pages by examining traffic to the web application. When a login page is found, the Policy Builder suggests adding the login form to the security policy. Because the suggestion is learned from responses and responses are considered trusted, if the
Learning Mode
is
Automatic
, the login page is typically added to the policy right away.
If the
Learning Mode
is
Manual
, the login page is added to the learning suggestions on the Traffic Learning screen where you can add it to the policy. The login pages in the security policy are included in the Login Pages List.
You can use the login pages for login enforcement, brute force protection, or session awareness.

Creating login pages manually

Before you can create a login page manually, you need to be familiar with the login URL or URLs the application the security policy is protecting.
In your security policy, you can create a login page manually to specify a login URL that presents a site that users must pass through to gain access to the web application. The login URL commonly leads to the login page of the web application.
You can also have the system create login pages automatically by selecting
Detect login pages
on the Learning and Blocking Settings screen.
  1. On the Main tab, click
    Security
    Application Security
    Sessions and Logins
    .
    The Login Pages List screen opens.
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Click
    Create
    .
    The New Login Page screen opens.
  4. For the
    Login URL
    setting, specify a URL that users must pass through to get to the application.
    1. From the list, select the type of URL:
      Explicit
      or
      Wildcard
      .
    2. Select either
      HTTP
      or
      HTTPS
      based on the type of traffic the web application accepts.
    3. Type an explicit URL or wildcard expression in the field.
      When you click in the field, the system lists URLs that it has seen, and you can select a URL from the list. Or, you can type explicit URLs in the format
      /login
      , and wildcard URLs without the slash, such as
      *.php
      .
      Wildcard syntax is based on shell-style wildcard characters. This table lists the wildcard characters that you can use so that the entity name can match multiple objects.
      Wildcard Character
      Matches
      *
      All characters
      ?
      Any single character.
      [abcde]
      Exactly one of the characters listed.
      [!abcde]
      Any character not listed.
      [a-e]
      Exactly one character in the range.
      [!a-e}
      Any character not in the range.
      Note that wildcards do not match regular expressions.
  5. From the
    Authentication Type
    list, select the method the web server uses to authenticate the login URL's credentials with a web user.
    Option
    Description
    None
    The web server does not authenticate users trying to access the web application through the login URL. This is the default setting.
    HTML Form
    The web application uses a form to collect and authenticate user credentials. If using this option, you also need to type the user name and password parameters written in the code of the HTML form.
    HTTP Basic Authentication
    The user name and password are transmitted in Base64 and stored on the server in plain text.
    HTTP Digest Authentication
    The web server performs the authentication; user names and passwords are not transmitted over the network, nor are they stored in plain text.
    NTLM
    Microsoft LAN Manager authentication (also called Integrated Windows Authentication) does not transmit credentials in plain text, but requires a continuous TCP connection between the server and client.
    JSON/AJAX Request
    The web server uses JSON and AJAX requests to authenticate users trying to access the web application through the login URL. For this option, you also need to type the name of the JSON element containing the user name and password.
  6. In the Access Validation area, define at least one validation criteria for the login page response.
    If you define more than one validation criteria, the response must meet all the criteria before the system allows the user to access the application login URL.
    The system checks the access validation criteria on the response according to the content-type of the login URL. Supported content-types are text/*, application/x-javascript, application/sgml, application/xml, application/x-asp, application/x-aspx, application/xhtml+xml, application/json, application/x-shockwave-flash. You can use the internal parameter
    user_defined_accum_type
    to add supported content-types.
  7. Click
    Create
    to add the login page to the security policy.
    The new login page is added to the login pages list.
  8. Add as many login pages as needed for your web application.
  9. In the editing context area, click
    Apply Policy
    to put the changes into effect.
The security policy now has one or more login pages associated with it. They are included in the Login Pages List.
You can use the login pages you created for login enforcement, brute force protection, or session awareness.

Login page access validation criteria

Following are descriptions of the access validation criteria for the response to the login URL. You configure one or more of these validations when defining a login page manually. A login attempt is only successful if all of the specified validation criteria are satisfied.
Access validation
Define in login page as
A string that should appear in the response
A string that must appear in the response for the system to allow the user to access the authenticated URL; for example,
Successful Login
.
A string that should NOT appear in the response
A string that indicates a failed login attempt and prohibits user access to the authenticated URL; for example,
Authentication failed
.
Expected HTTP response status code
An HTTP response code that the server must return to the user to allow access to the authenticated URL; for example,
200
.
Expected validation header name and value (for example, Location header)
A header name and value that the response to the login URL must match to permit user access to the authenticated URL.
Expected validation domain cookie name
A defined domain cookie name that the response to the login URL must match to permit user access to the authenticated URL.
Expected parameter name (added to URI links in the response)
A parameter that must exist in the login URL’s HTML body to allow access to the authenticated URL.

Enforcing login pages

Login enforcement settings prevent forceful browsing attacks where attackers gain access to restricted parts of the web application by supplying a URL directly. You can use login enforcement to force users to pass through one URL (known as the
login URL
) before being allowed to display a different URL (known as the
target URL
) where they can access restricted pages and resources.
Login enforcement indicates how the security policy implements login pages including an optional expiration time, a list of URLs that require authentication to get to, and a list of URLs used to log out of the application. You can also use authenticated URLs to enforce idle time-outs on applications that are missing this functionality.
  1. On the Main tab, click
    Security
    Application Security
    Sessions and Logins
    Login Enforcement
    .
    The Login Enforcement screen opens.
  2. If you want the login URL to be valid for a limited time, set
    Expiration Time
    to
    Enabled
    , and type a value, in seconds (1-99999) that indicates how long the session will last.
    If enabled, the login session ends after the number of seconds has passed.
  3. For the
    Authenticated URLs
    setting, specify the target URLs that users can access only by way of the login URL:
    1. In the
      Authenticated URLs (Wildcards supported)
      field, type the target URL name in the format
      /private.php
      (wildcards are allowed).
    2. Click
      Add
      to add the URL to the list of authenticated URLs.
    3. Repeat to add as many authenticated URLs as needed.
  4. Click
    Save
    to save your settings.
  5. To put the security policy changes into effect immediately, click
    Apply Policy
    .
If you specify authenticated URLs and a user tries to access them, bypassing the login URL (specified in a Login Page), the system issues the
Login URL bypassed
violation. If a user session is idle and exceeds the expiration time, the system issues the
Login URL expired
violation, logs the user out, and as a result, the user can no longer reach the authenticated URLs. For both login violations, if the enforcement mode is blocking, the system now sends the Login Page Response to the client (see
Application Security
Policy
Response Pages
).

Creating logout pages

Before you can create a logout page, you need to be familiar with the logout URL the application uses.
In your security policy, you can create a logout page to specify a logout URL that users go to when they log out of the web application. The logout URL can be the same as the login URL.
  1. On the Main tab, click
    Security
    Application Security
    Sessions and Logins
    Logout Pages List
    .
  2. In the
    Current edited security policy
    list near the top of the screen, verify that the security policy shown is the one you want to work on.
  3. Click
    Create
    .
  4. For the
    Logout URL (Explicit only)
    setting, specify a URL that users go to when they log out of the application.
    1. Select either
      HTTP
      or
      HTTPS
      based on the type of traffic the web application accepts.
    2. Type an explicit URL in the format
      /logout.html
      .
  5. Optionally, type strings that should or should not appear in the request.
  6. Click
    Create
    .
  7. In the editing context area, click
    Apply Policy
    to put the changes into effect.
The security policy now has a logout page associated with it included in the Logout Pages List. Logout URLs are automatically added to the list of allowed URLs.