F5 iRule Example integrating HMAC

Kai.. quick question on the logic. It looks like you are validating the cached hmac_values hash against the hmac_cookie value when the two cookies (application cookie and hmac cookie are present). This compares the hash of the two values instead of the values that made the hash. Do you think there is a concern since the actual hashed value is being passed as a cookie? Wouldn't you want to compare the values or is verification of the hash enough validation? Is there any reason you are not rejecting the session from being established or do you see removing the cookie as a forcing function (just scared of creating a scenario where there is an endless cycle of connection attempts with no failure). Lastly, in the response, you used http::header insert instead of http::cookie insert. I know the header command is the older version, but is their a reason you went with header insert? Thanks