For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

nsgguy245_16208's avatar
nsgguy245_16208
Icon for Nimbostratus rankNimbostratus
Jun 26, 2014

Forwarding BigIP Cookies on Redirect

I need to setup an iRule for a redirect, but I want the redirect to pass along the cookie information. Is that done by default or do I need to include configuration details to do this? Thanks...  
application delivery
design
devops
iRules
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Jul 01, 2014

That dives a bit into the "HTTP State Management" RFCs and how cookies can be used across sites. In short, a cookie is natively host-specific. When a host, by name, sends a cookie to a client, the client should only ever return that cookie to the same host. Further, if a host attempts to send a cookie to a client, perhaps in a redirect, intended for another host, the client should ignore this cookie (for security reasons). The one caveat to this last condition is the "domain" attribute of a Set-Cookie header. A Set-Cookie header with a domain attribute tells the client that it can send that cookie back to any host that matches that domain (but must also be in the same domain as the cookie originator).

So, let's say you have a site: host1.domain.com, and it wants to redirect users to host2.domain.com and send a cookie. The only way to do this is by setting a domain attribute in the Set-Cookie header with the value domain.com.

HTTP::respond 302 Location "someplace-else" "Set-Cookie" "foo=bar;path=/" "Set-Cookie" "test=blah;path=/;domain=domain.com"