000021828 - How to preserve POST'ed form data through forms-based authentication in RSA ClearTrust

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021828
Applies To
RSA ClearTrust Agent 4.6 for Microsoft Internet Information Services (IIS) 6.0

RSA ClearTrust Agent 4.5 for Microsoft Internet Information Services (IIS) 6.0
IssueHow to preserve POST'ed form data through forms-based authentication in RSA ClearTrust
Form data submitted by POST method is preserved through forms-based authentication in RSA ClearTrust
Form data submitted by POST method is stripped from the request when the agent authenticates or re-authenticates user
CauseWhen the RSA ClearTrust Agent detects that a user is trying to access a protected resource (and has not been authenticated), it redirects the user to the logon pages with a GET request. Form data from the original page submitted by POST method is eliminated when the logon page is served. Form data submitted as a querystring is preserved.
ResolutionOption 1: Use GET for form submission method instead of POST. This may not be possible in case of large form submissions, but is feasible, assuming the contents of the form are guaranteed not to exceed the maximum length of a querystring.

Option 2: Use non-forms-based HTTP Basic authentication. Since HTTP Basic authentication is carried out as a browser challenge, the client is never redirected, and the POST data is not lost. The drawback to this method is that session timeout control is lost, since Basic authentication is handled between the client and the web server, not the client and the agent.

Option 3: Use IWA for authentication. In Windows network environments, Internet Explorer automatically and silently provides a user's NT domain credentials to IIS, which is configured to authenticate the user. Since this is done as part of processing the request, the client is never redirected and form data is not lost. Note that this requires your ClearTrust users to be NT domain users. NOTE: Mozilla-based browsers handle integrated windows authentication as a special case of HTTP Basic authentication, so users will be challenged by a modal dialogue instead of silently.

Option 4: Using the WAX API, write an extension to the web agent that preserves POST data in the redirection to the logon forms, and modify the logon forms' code to preserve the POST data through redirections from ct_logon.asp and ct_home.asp.
Legacy Article IDa25284

Attachments

    Outcomes