Forum Discussion

LesterP's avatar
LesterP
Icon for Nimbostratus rankNimbostratus
Apr 11, 2012

Help with ProxyPass iRule v 8.2 and cookies

Using ProxyPass v8.2 with LTM 9.x we been experiencing a strange behavior with some cookies.

 

The rule is splitting a cookie into 3 different cookies back to the user.

 

 

 

 

The incoming header is

 

Set-Cookie: CAMSLC_DEV=ldap; Domain=example.com; Expires=Wed, 05-Dec-2012 21:12:42 GMT; Path=/"

 

 

 

 

 

and the outgoing header becomes

 

Set-Cookie: CAMSLC_DEV=ldap; Domain=example.com; Expires=Wed, 05-Dec-2012 21

 

Set-Cookie: 42 GMT; Path=/

 

Set-Cookie: 12

 

 

 

 

 

I added some logging statements to the iRule--

 

Rewrite any domains/paths in Set-Cookie headers

 

if {[HTTP::header exists "Set-Cookie"]}{

 

array set cookielist { }

 

 

A response may have multiple Set-Cookie headers, loop through them

 

foreach cookievalue [HTTP::header values "Set-Cookie"] {

 

 

set cookiename [getfield $cookievalue "=" 1]

 

set newcookievalue ""

 

if {$::ProxyPassDebug > 1} {

 

log local0. "COOKIEMON:Detect cookie name \"$cookiename\" from header field \"$cookievalue\" "

 

}

 

 

 

 

What is logged:

 

 

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON:Detect cookie name "CAMSLC_DEV" from header field "CAMSLC_DEV=ldap; Domain=example.com; Expires=Fri, 07-Dec-2012 21"

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element before trim "CAMSLC_DEV=ldap"

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element after trim "CAMSLC_DEV=ldap"

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element has an equal sign

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element has been split by equal sign into name "CAMSLC_DEV" and value "ldap"

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element before trim " Domain=example.com"

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element after trim "Domain=example.com"

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element has an equal sign

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element has been split by equal sign into name "Domain" and value "example.com"

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element before trim " Expires=Fri, 07-Dec-2012 21"

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element after trim "Expires=Fri, 07-Dec-2012 21"

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element has an equal sign

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element has been split by equal sign into name "Expires" and value "Fri, 07-Dec-2012 21"

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON:Detect cookie name "12" from header field "12"

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element before trim "12"

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element after trim "12"

 

 

Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON:Detect cookie name "11 GMT; Path" from header field "11 GMT; Path=/"

 

 

 

What can I do about the split at the colons?

 

3 Replies

  • Hi,

     

     

    This is due to a bug described in SOL8676:

     

     

    sol8676: The HTTP::header values iRule command removes colon characters from header values

     

    https://support.f5.com/kb/en-us/solutions/public/8000/600/sol8676.html?sr=20641614

     

     

    If your web server(s) always return a single set-cookie header, you could change HTTP::header values to HTTP::header value to avoid the issue. Or you could upgrade to v10.0+ which fixes this bug.

     

     

    Aaron
  • kjc's avatar
    kjc
    Icon for Nimbostratus rankNimbostratus
    What happens if an app does try to set more than one cookie?
  • If the app sets multiple cookies in one Set-Cookie header using HTTP::header value Set-Cookie would work fine. If the app sets multiple cookies in multiple Set-Cookie headers only the last Set-Cookie header would be parsed and updated for any domain rewriting that needs to be done. If the domain of the cookies isn't updated, the client would potentially not send those cookie(s) on subsequent requests.

     

     

    If the workaround doesn't work for your scenario, the fix is to upgrade to 10.x. Regardless, it would make a lot of sense to upgrade to 10.2.x as there have been a lot of fixes and new features added since 9.x.

     

     

    Aaron