For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mnb_63148's avatar
mnb_63148
Icon for Nimbostratus rankNimbostratus
Feb 20, 2014

Does F5 automatically delete cookies in the header?

I have an issue where cookies are not always showing in the HTTP header. This is causing session timeouts when users are trying to log into a site and when they are randomly clicking around in a site...
mnb_63148's avatar
mnb_63148
Icon for Nimbostratus rankNimbostratus
Feb 20, 2014

looks like we are seeing the issue when our httpOnly iRule is below our http_cookie_secure_irule.

 

httponly_irule

 

when HTTP_RESPONSE { set ck [HTTP::header values "Set-Cookie"] HTTP::header remove "Set-Cookie"

 

foreach acookie $ck { HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly" }

 

http_cookie_secure_irule

 

}

 

mnb_63148's avatar
mnb_63148
Icon for Nimbostratus rankNimbostratus
Feb 21, 2014
Reversing the iRule order for httpOnly and secure cookies worked for a few hours and a user experienced a session timeout again. We are seeing in the packet capture that one of the cookies needed is getting removed by Big-IP when it is being passed to the server.