I want to exclude users that have logged in via Access from various cache or waf rules for the website. Is there a cookie or something that identifies them?
Thank you
Hi,
You can use the same URL pattern used with the Access policy. For instance, if you have Access protecting /wp-admin and /wp-login.php and you need to block all requests for other PHP files, you can exclude these two paths in the definition of your WAF Custom Rule:
not starts_with(http.request.uri.path, "/wp-admin") and
http.request.uri.path ne "/wp-login.php") and
http.request.uri.path.extension eq "php"
You could also use the cookie name CF_Authorization, but since Access comes after WAF, any WAF rule would only be bypassed based on that cookie after user has been authenticated, not on their first visit, which depending on your WAF rules may be a problem.
2 Likes
I ended up using CF_Authorization - many thanks 
2 Likes
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.