help with cookie expiration in iRule

The Set-Cookie header is specified in RFC 2109 - HTTP State Management Mechanism (Click here).

4.2.2  Set-Cookie Syntax
   The syntax for the Set-Cookie response header is
   set-cookie      =       "Set-Cookie:" cookies
   cookies         =       1cookie
   cookie          =       NAME "=" VALUE *(";" cookie-av)
   NAME            =       attr
   VALUE           =       value
   cookie-av       =       "Comment" "=" value
                   |       "Domain" "=" value
                   |       "Max-Age" "=" value
                   |       "Path" "=" value
                   |       "Secure"
                   |       "Version" "=" 1*DIGIT

Looks like you'll want to use the "Max-Age" value that's defined as follows:

Max-Age=delta-seconds

Optional. The Max-Age attribute defines the lifetime of the

cookie, in seconds. The delta-seconds value is a decimal non-

negative integer. After delta-seconds seconds elapse, the client

should discard the cookie. A value of zero means the cookie

should be discarded immediately.

In Netscapes original proposal, there is also an "Expires" header that believe most browsers still support which takes as an argument a date string.

-Joe

Thanks Joe, you are always very helpful (even when it is not a specific iRule question)!

 

 

I am having an issue with the rule mentioned above and was wonering if you could add some insight as to what I am missing.

 

 

The above iRules work when a user goes to the default site. if the user types in a custom uri, it doesn't work. I altered the rules to read the uri and append it to the redirect command.

 

 

I don't think the cookie is being set or seen properly somewhere along the way because then I enter am infinite loop between the two Irules. Why would the cookie work with no uri, but not work when uri is appended?

 

 

Any advice on altering the irule or debugging with some log commands?

 

 

Thanks again for your help!!

 

I think you might want your cookie domain to be ".companya.com".

 

 

From RFC2109:

 

 

4.3.2 Rejecting Cookies

 

 

To prevent possible security or privacy violations, a user agent

 

rejects a cookie (shall not store its information) if any of the

 

following is true:

 

 

* The value for the Path attribute is not a prefix of the request-

 

URI.

 

 

* The value for the Domain attribute contains no embedded dots or

 

does not start with a dot.

 

 

* The value for the request-host does not domain-match the Domain

 

attribute.

 

 

* The request-host is a FQDN (not IP address) and has the form HD,

 

where D is the value of the Domain attribute, and H is a string

 

that contains one or more dots.

 

 

Examples:

 

 

* A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com

 

would be rejected, because H is y.x and contains a dot.

 

 

* A Set-Cookie from request-host x.foo.com for Domain=.foo.com would

 

be accepted.

 

 

* A Set-Cookie with Domain=.com or Domain=.com., will always be

 

rejected, because there is no embedded dot.

 

 

* A Set-Cookie with Domain=ajax.com will be rejected because the

 

value for Domain does not begin with a dot.

 

I have made the change to the cookie domain, but I am still getting strange (unexplained and unwanted) results.

 

 

If I use a url with https://hostname.domain.com/ it seems to work. Webserver sends request to Coldfusion MX appserver, which sets default uri ( a logon page). Cookie seems to work properly.

 

 

If I enter a different url https://hostname.domain.com/admin/logon.cfm, the irule is caught in infinite forwarding loop.

 

 

I gotta be missing something simple. I 'm going to keep plugging away. We have an entire web farm migration hinged on getting this to work.

 

 

Is this the proper place for this or should I open a support ticket?

 

 

Thanks again for everyone's help!!

Maybe you should post your current (desensitized) version of the rule with the uri stuff you added. Maybe there's something broken in that?!?

 

 

And, yes, this is probably the correct place for this as it doesn't appear that anything is actually broken with the Bigip. It seems more like a matter of figuring out how to get it working with your deployment.

 

This is in an internal QA Environment:

VIP uitaac.allied.nwie.net

when CLIENT_ACCEPTED {
        set ckname uitaac1
        set ckvalue [IP::client_addr]
        set ckdomain .allied.nwie.net
        set cookie [format "%s=%s; path=/; domain=%s" $ckname $ckvalue $ckdomain] 
  }
when HTTP_REQUEST  {
        set uri [HTTP::uri]
  }
when HTTP_RESPONSE {
        HTTP::respond 302 Location "https://uitaac1.allied.nwie.net$uri]" "Set-Cookie" $cookie
      }

VIP uitaac1.allied.nwie.net

when CLIENT_ACCEPTED {
        set ckname uitaac1
        set ckvalue [IP::client_addr]
        set ckdomain .allied.nwie.net
   }
when HTTP_REQUEST {
        set uri [HTTP::uri]    
    if {[HTTP::cookie exists $ckname]} {
        pool UITShared
   }
     else {
        HTTP::redirect "https://uitaac.allied.nwie.net$uri"
   }
}

Thanks!

Either this is a cut-n-paste error or perhaps your problem, but you have a closing square bracket ']' at the end of the uri in your first rule. Is that intended?

No it was not intended. Not sure how I missed it. Probably a typo from the 30 or so different things I have tried the last two days.

 

 

Good news is that after correcting this embarrassingly obvious mistake, things seem to be running very smooth.

 

 

I need to do more extensive testing over the next few days, but this is finally the break I have been working for the last few days.

 

 

Thanks again for all your help. Hopefully I won't be posting on this issue in the near future :-)