Need help with cookie persistence. LTM version 9.4.6. How do I set the F5 cookie to http only?

Hi Dave, Did this come up in a vulnerability report for your LTM hosted app? It is possible to append the HttpOnly flag to LTM's set-cookie header. However, the persistence cookie only dictates which pool member LTM sends requests to. There aren't any significant security concerns with an attacker getting this as it's not used (at least by default) by LTM for anything security related. If you do want to append the HttpOnly flag, you could try something like this: when SERVER_CONNECTED { Save the name of the currently connected pool set pool_name [LB::server pool] } when HTTP_RESPONSE { Check if the response contains the persistence cookie if {[HTTP::cookie BIGipServer${pool_name}] ne ""}{ Replace the last Set-Cookie header value with the same value and ; HttpOnly appended HTTP::header replace Set-Cookie "[HTTP::header Set-Cookie]; HttpOnly" } } Aaron

Hi Hoolio, Thanks for the response. Yes, a security scan identified the issue and I've been tasked with correcting it. I will try your suggestion, but I'll also try to convince the powers-that-be that this is not a security concern, although in the long run it's just easier to make the issue go away. Dave

Just to clarify, the cookie insert persistence cookie contains an encoding of the pool member IP:port as described in SOL6917: sol6917: Overview of BIG-IP persistence cookie encoding https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html So it does contain what could be considered sensitive data as it exposes the server IP addresses and ports from the pool. If that's a concern for you, you can encrypt the cookie value using a custom HTTP profile: sol7784: Overview of cookie encryption http://support.f5.com/kb/en-us/solutions/public/7000/700/sol7784.html That said, the fact that the persistence cookie is accessible from clientside scripts is somewhat irrelevant as it's not specific to the client's session--an attacker could get all of the possible cookie values just by making requests to the virtual server. Aaron

I actually already encrypt the cookie, so the rule as is does not work. Is there a way to just append http only to end of the cookie string w/o having to read the cookie? Change this Response sets a cookie: Set-Cookie: cookie_20=JWOPqD5SyEEcTl6wL8WbEaGhvIF3mSxzdYWRnGXyQTssab7fYqmJGJ2EfiYfHwAssBZQ0brxJV7mNdo=; expires=Thu, 12-May-2011 15:51:54 GMT; path=/ To this Response sets a cookie: Set-Cookie: cookie_20=JWOPqD5SyEEcTl6wL8WbEaGhvIF3mSxzdYWRnGXyQTssab7fYqmJGJ2EfiYfHwAssBZQ0brxJV7mNdo=; expires=Thu, 12-May-2011 15:51:54 GMT; path=/; HttpOnly

That's what that iRule I posted should do. What happens if you try it? If you're concerned about it not working and the virtual server is in production, you could create a test virtual server and try it there. Aaron

cookie persistence sendfor: http only

14 Replies

DaveC_53879
Nimbostratus
May 13, 2011
No joy.

May 13 13:29:18 tmm tmm[1711]: Rule http_only : 64.191.221.100:2156: Pool AA_sessiontest_pool

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2156: Current Set-Cookie: cookie_20=XyQIr5KAkKuQeqIk3Pa6bfE+YCnjQ/2h9I8arhY6nbqY27comZp4GIxhDBrMFGTy8z/YCxdndQFluXQ=; expires=Fri, 13-May-2011 17:49:19 GMT; path=/

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2158: Pool AA_sessiontest_pool

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2158: Current Set-Cookie: cookie_20=ewn7MZVX5vmp2oUk3Pa6bfE+YCnjQ2bAiX2zm7YxiPOqbOIuALBym5eBNHMR6W90ocDS7A7R8so94CE=; expires=Fri, 13-May-2011 17:49:19 GMT; path=/

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2158: Current Set-Cookie:

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2156: Current Set-Cookie:

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2158: Current Set-Cookie:

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2156: Current Set-Cookie:

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2163: Pool AA_sessiontest_pool

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2165: Pool AA_sessiontest_pool

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2164: Pool AA_sessiontest_pool

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2166: Pool AA_sessiontest_pool

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2158: Current Set-Cookie:

May 13 13:29:19 tmm tmm[1711]: Rule http_only :64.191.221.100:2156: Current Set-Cookie:

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2163: Current Set-Cookie: cookie_20=skYHioWFBX16sTck3Pa6bfE+YCnjQxfwdp0xQQ0YKwBsP3Kn9fP07Sy550o0djwv3C+4y5cZGl/JgYc=; expires=Fri, 13-May-2011 17:49:19 GMT; path=/

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2165: Current Set-Cookie: cookie_20=Staj7MuqzlKDDx8k3Pa6bfE+YCnjQ5LdzGHasvVYsSSv4bdDIh3Lj42u3tohZvOrg7WfUDTanwDeKKQ=; expires=Fri, 13-May-2011 17:49:19 GMT; path=/

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2164: Current Set-Cookie: cookie_20=ygC7s4TV6J+uKIck3Pa6bfE+YCnjQwnPARjkFSReKH5tFENSJub3vXJ8eo2+ct1ZErFJ1NpNR3hdyDQ=; expires=Fri, 13-May-2011 17:49:19 GMT; path=/

May 13 13:29:19 tmm tmm[1711]: Rule http_only : 64.191.221.100:2166: Current Set-Cookie: cookie_20=sw0yijTubs3Is0Mk3Pa6bfE+YCnjQ093u4KOQXSnrMlhgthQPGmUEroj3Ibo0JoXemwCsHpkrWtpmZE=; expires=Fri, 13-May-2011 17:49:19 GMT; path=/
AJ_102868
Nimbostratus
Oct 14, 2011
Do you think appending every LTM cookie puts significant overhead on the LTM or am just not giving LTM enough credit?

nitass

Employee

Oct 15, 2011

Hi DaveC,

[root@iris:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.17.33:http
   ip protocol tcp
   persist mycookie
   profiles {
      myhttp {}
      tcp {}
   }
}
[root@iris:Active] config  b profile mycookie list
profile persist mycookie {
   defaults from cookie
   mode cookie
   timeout 180
   cookie mode insert
   cookie name "cookie_20"
}
[root@iris:Active] config  b profile myhttp list
profile http myhttp {
   defaults from http
   cookie secret "secret"
   encrypt cookies "cookie_20"
}

[root@iris:Active] config  curl -I http://172.28.17.33
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 01:29:40 GMT
Server: Apache/2.0.59 (rPath)
Last-Modified: Sat, 11 Jun 2011 00:31:47 GMT
ETag: "667a-67-cfb682c0"
Accept-Ranges: bytes
Content-Length: 103
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Set-Cookie: cookie_20=DtUT7p97+feyDIKi2OCuEWPqv0KMJRGoC16eEnwbcXGkonYaZHplZ51iBCel9egDDSZfSZ3TfeACgWg=; path=/

[root@iris:Active] config  b rule myrule list
rule myrule {
   when HTTP_RESPONSE {
   if {[HTTP::cookie "cookie_20"] ne ""}{
      HTTP::header replace Set-Cookie "[HTTP::header Set-Cookie]; HttpOnly"
   }
}
}

[root@iris:Active] config  b virtual bar rule myrule

[root@iris:Active] config  curl -I http://172.28.17.33
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2011 01:30:02 GMT
Server: Apache/2.0.59 (rPath)
Last-Modified: Sat, 11 Jun 2011 00:31:47 GMT
ETag: "667a-67-cfb682c0"
Accept-Ranges: bytes
Content-Length: 103
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Set-Cookie: cookie_20=BUuoH166ZBENSFCi2OCuEWPqv0KMJfEr2qRf+Svnu9S1feGWc/rkeJ1u1sm5yjRjoXdxLF6A8rvG0N4=; path=/; HttpOnly

hoolio

Cirrostratus

Jun 18, 2013

In v11.0 you can use 'HTTP::cookie httponly $cookie_name enable' to set this flag:

https://devcentral.f5.com/wiki/iRules.http__cookie.ashx


when HTTP_RESPONSE { 
 
 Check if the response contains the persistence cookie 
if {[HTTP::cookie BIGipServerMy_Http_Pool] ne ""}{ 
 
 Set the httponly flag on the persistence cookie if it is in the response
HTTP::cookie httponly BIGipServerMy_Http_Pool enable
} 
}

Aaron

Forum Discussion

cookie persistence sendfor: http only

14 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

VIP is not responding on SYN after enabling other modules like ASM, APM and AFM.

2026 301a exam

F5OS login with admin/root failed via console

UCS Encryption Question

Unblock Request WAF

Related Content

Decoding the IPv4 address from the persistence cookie

How OneConnect Profile works with Cookie Persistence

F5 XC – Persistence and Resiliency pt. I (persistence)

Persistence Cookie Logger

Persistence Cookie Logging

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS