For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ted_Smith_11168's avatar
Ted_Smith_11168
Icon for Nimbostratus rankNimbostratus
Aug 09, 2005

help with cookie expiration in iRule

I have two iRules listed below. We are injecting a cookie on siteA, the redirecting to siteB. SiteB checks for value set in siteA. If it is there allow user access. If not go back to siteA and get val...
application delivery
dev
devops
iRules
unRuleY_95363's avatar
unRuleY_95363
Historic F5 Account
Aug 10, 2005
I think you might want your cookie domain to be ".companya.com".

 

 

From RFC2109:

 

 

4.3.2 Rejecting Cookies

 

 

To prevent possible security or privacy violations, a user agent

 

rejects a cookie (shall not store its information) if any of the

 

following is true:

 

 

* The value for the Path attribute is not a prefix of the request-

 

URI.

 

 

* The value for the Domain attribute contains no embedded dots or

 

does not start with a dot.

 

 

* The value for the request-host does not domain-match the Domain

 

attribute.

 

 

* The request-host is a FQDN (not IP address) and has the form HD,

 

where D is the value of the Domain attribute, and H is a string

 

that contains one or more dots.

 

 

Examples:

 

 

* A Set-Cookie from request-host y.x.foo.com for Domain=.foo.com

 

would be rejected, because H is y.x and contains a dot.

 

 

* A Set-Cookie from request-host x.foo.com for Domain=.foo.com would

 

be accepted.

 

 

* A Set-Cookie with Domain=.com or Domain=.com., will always be

 

rejected, because there is no embedded dot.

 

 

* A Set-Cookie with Domain=ajax.com will be rejected because the

 

value for Domain does not begin with a dot.