For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mark_Wallis_833's avatar
Mark_Wallis_833
Icon for Nimbostratus rankNimbostratus
Apr 13, 2010

Cookies - HttpOnly, Secure and ASM

Hi,

 

 

I'm trying to use the iRule code below in our HTTP_RESPONSE event to ensure that the secure flag is enabled on all our outgoing Set-Cookie's.

 

 

foreach a_cookie [HTTP::cookie names] {

 

HTTP::cookie secure $a_cookie enable

 

}

 

 

Our application is setting the following cookie

 

 

Set-Cookie: JSESSIONID=2A8F571EA86877B1366F559BEB4F238A; Path=/; HttpOnly

 

 

Two questions.

 

 

1. The foreach loop is actually looping twice. The first time the cookie name is JSESSIONID. The second time the cookie name is HttpOnly. Has anyone found any issues with the iRule not parsing cookie's correctly that contain the HttpOnly attribute ?

 

 

2. We have ASM which inserts a TS????? cookie, but this cookie doesn't appear during the loop. I assume it isn't inserted until after the HTTP_RESPONSE event ? Does anyone know a way to enable secure on the ASM cookie ?

 

 

Thanks,

 

Mark.

 

 

 

 

 

application delivery
dev
devops
iRules

5 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 13, 2010
    Hi Mark,

     

     

    A few suggestions/notes:

     

     

    It seems like a bug if you're setting the secure option on a cookie and then finding a cookie named HttpOnly. I'd suggest opening a case with F5 Support to have them confirm and document this issue.

     

     

    HTTP_RESPONSE fires before the request is sent to ASM. So you'll need to use a "creative workaround" if you want to use an iRule to inspect and/or modify the response after ASM handles it. The workaround is described in SOL9388:

     

     

    SOL9388: Using an iRule to parse post-ASM responses

     

    https://support.f5.com/kb/en-us/solutions/public/9000/300/sol9388.html

     

     

    I've had several customers balk at doing this because of the added complexity of the configuration. I'd suggest opening a case with F5 Support and ask them to add this functionality to the product without resorting to creating a second VS. If you do so and get a Change Request number, could you reply back with it so others can reference it?

     

     

    Thanks, Aaron
  • Mark_Wallis_833's avatar
    Mark_Wallis_833
    Icon for Nimbostratus rankNimbostratus
    Apr 14, 2010
    Thanks for the reply Aaron.

     

     

    I'll chat to support about better support for post-ASM iRule events. I agree - VS sandwich's are painful to scale, especially across the number of sites I need to handle this on.

     

     

    Regards,

     

    Mark.
  • Pavel_Jurik_707's avatar
    Pavel_Jurik_707
    Icon for Nimbostratus rankNimbostratus
    Sep 12, 2012
    Hi Mark,

     

     

    have you solved the issue regarding the 1st question?

     

    We have the same problem that F5 parse a cookie with httponly parameter as 2 separate cookies - first is named JSESSIOND and second is HTTPONLY.

     

     

    regarding 2nd questions - there is workaround in 10.2.0:

     

    http://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnotes_asm_10_2_0.html

     

    Cookie internal parameters added (CR131850)

     

     

    thanks

     

    pave
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Sep 13, 2012
    We have new events in 11.x to help with pre and post-ASM or other module processing:

     

     

    https://devcentral.f5.com/wiki/iRules.HTTP-REQUEST-RELEASE.ashx

     

    https://devcentral.f5.com/wiki/iRules.HTTP-RESPONSE-RELEASE.ashx

     

     

    Pavel, I suggest opening a case with F5 Support if you're seeing the cookie property parsed as a cookie name.

     

     

    Aaron