Forum Discussion

Stefan_126426's avatar
Stefan_126426
Icon for Nimbostratus rankNimbostratus
Jan 02, 2013

Confusing ASP.NET session cookie rewriting with HttpOnly flag version 10

Hi Everyone, first post here so a little introduction.   I am a sysadmin/developer for a large insurance company and have just taken ownership of our F5 box. 12 Years IT experience so I can usuall...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Jan 03, 2013
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_RESPONSE {
  set myValues [HTTP::header values "Set-Cookie"]
  log local0. "myValues: $myValues"
  HTTP::header remove "Set-Cookie"
  foreach mycookies $myValues {
    log local0. "-----"
    log local0. "mycookies: $mycookies"
    log local0. "\[lindex $mycookies 0\]: [lindex $mycookies 0]"
    log local0. "scan \[lindex $mycookies 0\] {%\[^=\]=%\[^;\]} currentName currentValue: [scan [lindex $mycookies 0] {%[^=]=%[^;]} currentName currentValue]"
    log local0. "currentName: $currentName"
    log local0. "currentValue: $currentValue"
    scan [lindex $mycookies 0] {%[^=]=%[^;]} currentName currentValue
    HTTP::header insert "Set-Cookie" "$currentName=$currentValue; HttpOnly; Secure; Path=/"
  }
}
}

 client

[root@centos251 ~] curl -I http://172.28.19.252
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 21216
Content-Type: text/html; charset=utf-8
Expires: -1
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Wed, 02 Jan 2013 15:26:51 GMT
Set-Cookie: ASP.NET_SessionId=d4or5si4ezfo3oiienjmzjug; HttpOnly; Secure; Path=/
Set-Cookie: testcookie=123456; HttpOnly; Secure; Path=/
Set-Cookie: mycookie=abcdef; HttpOnly; Secure; Path=/

 log on bigip

[root@ve10:Active] config  tail -f /var/log/ltm
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : myValues: {ASP.NET_SessionId=d4or5si4ezfo3oiienjmzjug; path=/; HttpOnly} {testcookie=123456; path=/} {mycookie=abcdef; path=/; HttpOnly}
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : -----
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : mycookies: ASP.NET_SessionId=d4or5si4ezfo3oiienjmzjug; path=/; HttpOnly
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : [lindex ASP.NET_SessionId=d4or5si4ezfo3oiienjmzjug; path=/; HttpOnly 0]: ASP.NET_SessionId=d4or5si4ezfo3oiienjmzjug;
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : scan [lindex ASP.NET_SessionId=d4or5si4ezfo3oiienjmzjug; path=/; HttpOnly 0] {%[^=]=%[^;]} currentName currentValue: 2
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : currentName: ASP.NET_SessionId
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : currentValue: d4or5si4ezfo3oiienjmzjug
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : -----
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : mycookies: testcookie=123456; path=/
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : [lindex testcookie=123456; path=/ 0]: testcookie=123456;
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : scan [lindex testcookie=123456; path=/ 0] {%[^=]=%[^;]} currentName currentValue: 2
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : currentName: testcookie
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : currentValue: 123456
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : -----
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : mycookies: mycookie=abcdef; path=/; HttpOnly
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : [lindex mycookie=abcdef; path=/; HttpOnly 0]: mycookie=abcdef;
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : scan [lindex mycookie=abcdef; path=/; HttpOnly 0] {%[^=]=%[^;]} currentName currentValue: 2
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : currentName: mycookie
Jan  4 08:10:03 local/tmm info tmm[4876]: Rule myrule : currentValue: abcdef

hope this helps. 🙂