Forum Discussion

John_Chen_43562's avatar
John_Chen_43562
Icon for Nimbostratus rankNimbostratus
Feb 13, 2016

Force to terminate active session cookie

I have https virtual servers with session cookie (HTTP cookie insert) for 3 hours expiration settings. I would like to configure it to terminate active cookie session after 3 hours even the user still is using it. Will it be doable on F5. My version is 11.5.1.HF8

 

application delivery
BIG-IP
iRules
security

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 13, 2016

    Session cookies can be deleted by resetting them with an expiration value in the past. For example:

    HTTP::respond 302 Location "https://somewhere.else.com" "Set-Cookie" "MyCookie=0;path=/;expires=\"Thu, 01-Jan-1970 00:00:01 GMT\""

    It's important to understand that a cookie is generally defined by its name and path, so:

    MyCookie=1;path=/
MyCookie-1;path=/foo

    are separate cookies and the browser agent will treat them as such. The point being that when you delete a cookie via setting an expiration, you must exactly match the name and path of the cookie stored by the browser. As to your question, if your application is setting the cookie in the first place, you'll need to "tag" it somehow with a timestamp. You can either add the timestamp to the cookie value, or keep a local table entry that maps the cookie's unique value (assuming it has a unique value) to a timestamp. When it's time to remove the cookie, either generate a redirect or inject the cookie into the HTTP response flow.

  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Feb 14, 2016

    Hi John,

    the most secure method to enforce cookie maximum lifetimes, is to not to depend on cookie expiration and server side cookie deletion at all. Instead you should implement a server side tracking mechanism, to enfore that the cookie can not be used longer then expected. This mechanism can be either implemented by your application itself or by using iRules...

    Below is a rather simple iRule syntax that will keep an eye on the 

    Set-Cookie
    responses of your web server and store the values of a the given cookie name into a 
    [table]
    for a specified lifetime. If the client is now sending the cookie to the server, another 
    [table]
    statement is performed to check if the cookie value has an active 
    [table]
    entry. If this is successful, the request would be forwarded to your backend and if not successful, the cookie is silently removed from the request... 

    when HTTP_REQUEST {
    if { [table lookup -notouch [HTTP::cookie value "MYCookie"]] eq "" } then {
        HTTP::cookie remove "MYCookie"
    }
} 
when HTTP_RESPONSE {
    if { [HTTP::cookie value "MYCookie"] ne "" } then {
        table set [HTTP::cookie value "MYCookie"] "1" indef 10800       ; Note: 10800 sec = 3 hrs
    }
}

    Warning: Enforcing cookie lifetimes using the 

    [table]
    command requires a certain amount of memory to store the individual values (aka. stateful tracking). If memory is a concern for you, then you may switch to a rather complex stateless cookie tracking method, where an additional timestamp is put directly into the cookie value in combination with cookie encryptions to make those value tamper resistent.

    Cheers,Kai