Forum Discussion

stupid48's avatar
stupid48
Icon for Altocumulus rankAltocumulus
Jul 27, 2022

Can't identify cookie

So, I'm running the "ultimate iRule debug" trying to figure out who is setting a cookie.  It's a cookie that we think shouldn't be coming from the pool member.  The reason we say that is when we test with a working connection (ie authenticated), that cookie never gets set.  Specifically, in the debug, we don't see in in the "http_response" but see it in the "http_response_release":

<HTTP_RESPONSE>: ----------- http_response -----------
<HTTP_RESPONSE>: uid: db9aebfa8 - status: 200
<HTTP_RESPONSE>: uid: db9aebfa8 - pool member IP: /Common/Prod.app/Prod_pool 10.xxx.xxx.xxx 4443
<HTTP_RESPONSE>: uid: db9aebfa8 - Date: Wed, 27 Jul 2022 15:44:05 GMT
<HTTP_RESPONSE>: uid: db9aebfa8 - Server:
<HTTP_RESPONSE>: uid: db9aebfa8 - Last-Modified: Sun, 27 Mar 2022 14:31:19 GMT
<HTTP_RESPONSE>: uid: db9aebfa8 - ETag: "4c5-5db340c8e7bc0"
<HTTP_RESPONSE>: uid: db9aebfa8 - Accept-Ranges: bytes
<HTTP_RESPONSE>: uid: db9aebfa8 - Content-Length: 1221
<HTTP_RESPONSE>: uid: db9aebfa8 - X-Frame-Options: SAMEORIGIN
<HTTP_RESPONSE>: uid: db9aebfa8 - X-Content-Type-Options: nosniff
<HTTP_RESPONSE>: uid: db9aebfa8 - Keep-Alive: timeout=15
<HTTP_RESPONSE>: uid: db9aebfa8 - Connection: Keep-Alive
<HTTP_RESPONSE>: uid: db9aebfa8 - Content-Type: text/html
<HTTP_RESPONSE>: uid: db9aebfa8 - Content-Language: en
<HTTP_RESPONSE>: uid: db9aebfa8 - Set-Cookie: cosmos=1795096330.23313.0000; path=/; Httponly; Secure
<HTTP_RESPONSE>: ----------- http_response -----------
<HTTP_RESPONSE>:
<HTTP_RESPONSE_DATA>: ----------- http_response_payload -----------
<HTTP_RESPONSE_DATA>: uid: db9aebfa8 - Response (Body) payload: <!-- dbdrv: none --> <!-- appdet.html --> <html> <HEAD> <TITLE>Home Page Redirect</TITLE> <META http-equiv=REFRESH content="1; URL=https://xx"> </HEAD> <body> <DIV ID="content">
<HTTP_RESPONSE_DATA>: ----------- http_response_payload -----------
<HTTP_RESPONSE_DATA>:
<HTTP_RESPONSE_RELEASE>: ----------- http_response_release -----------
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - status: 200
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - pool member IP: /Common/Prod.app/Prod_pool 10.xxx.xxx.xxx 4443
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Date: Wed, 27 Jul 2022 15:44:05 GMT
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Last-Modified: Sun, 27 Mar 2022 14:31:19 GMT
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - ETag: "4c5-5db340c8e7bc0"
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Accept-Ranges: bytes
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Content-Length: 1221
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - X-Frame-Options: SAMEORIGIN
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - X-Content-Type-Options: nosniff
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Keep-Alive: timeout=15
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Connection: Keep-Alive
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Content-Type: text/html
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Content-Language: en
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Set-Cookie: TS011b84d2=016cf3c73c8f3d3632c2783e0a6b27af43cf9a592e6129af3e0094acb85d88f58b02e11b8e2eb6d5ab7441d929cb436e1013ea5426b3043afc175bdc1f95d285a3e1faa534; Path=/
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Set-Cookie: TS011b84d2=016cf3c73c8f3d3632c2783e0a6b27af43cf9a592e6129af3e0094acb85d88f58b02e11b8e2eb6d5ab7441d929cb436e1013ea5426b3043afc175bdc1f95d285a3e1faa534; Path=/
<HTTP_RESPONSE_RELEASE>: ----------- http_response_release -----------

The cookie I am referring to is: TS011b84d2

My question is, why does the cookie show up only in the http_response_release?  Wouldn't it show up in the http_response as well if it was being set by the pool member?  To me it almost seems like the LTM is setting the cookie.

  • TS cookies come from ASM/AdvWAF. That uses the plugin architecture, which grabs responses early on the server side, bypasses much of the normal hud chain on the proxy path, and releases them late on the client side, which is why they are masked until HTTP_RESPONSE_RELEASE. Here are details on the ASM cookies: https://support.f5.com/csp/article/K54501322

3 Replies

  • TS cookies come from ASM/AdvWAF. That uses the plugin architecture, which grabs responses early on the server side, bypasses much of the normal hud chain on the proxy path, and releases them late on the client side, which is why they are masked until HTTP_RESPONSE_RELEASE. Here are details on the ASM cookies: https://support.f5.com/csp/article/K54501322