Help with ProxyPass iRule v 8.2 and cookies

Question

Using ProxyPass v8.2 with LTM 9.x  we been experiencing  a strange behavior with some cookies.
&nbsp;The rule is splitting a cookie into 3 different cookies back to the user. &nbsp;&nbsp;&nbsp;
&nbsp;The incoming header is
&nbsp;Set-Cookie: CAMSLC_DEV=ldap; Domain=example.com; Expires=Wed, 05-Dec-2012 21:12:42 GMT; Path=/" &nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;and the outgoing header becomes 
&nbsp;Set-Cookie: CAMSLC_DEV=ldap; Domain=example.com; Expires=Wed, 05-Dec-2012 21 
&nbsp;Set-Cookie: 42 GMT; Path=/ 
&nbsp;Set-Cookie: 12&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;I added some logging statements to the iRule--
&nbsp;   Rewrite any domains/paths in Set-Cookie headers
&nbsp;   if {[HTTP::header exists "Set-Cookie"]}{
&nbsp;      array set cookielist { }&nbsp;
&nbsp;       A response may have multiple Set-Cookie headers, loop through them
&nbsp;      foreach cookievalue [HTTP::header values "Set-Cookie"] {&nbsp;
&nbsp;         set cookiename [getfield $cookievalue "=" 1]
&nbsp;         set newcookievalue ""
&nbsp;         if {$::ProxyPassDebug &gt; 1} {
&nbsp;             log local0. "COOKIEMON:Detect cookie name \"$cookiename\" from header field \"$cookievalue\" "
&nbsp;             }&nbsp;&nbsp;&nbsp;
&nbsp;What is logged:&nbsp;&nbsp;&nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON:Detect cookie name "CAMSLC_DEV" from header field "CAMSLC_DEV=ldap; Domain=example.com; Expires=Fri, 07-Dec-2012 21" &nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element before trim "CAMSLC_DEV=ldap" &nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element after trim "CAMSLC_DEV=ldap" &nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element has an equal sign&nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element has been split by equal sign into name "CAMSLC_DEV" and value "ldap"&nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element before trim " Domain=example.com" &nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element after trim "Domain=example.com" &nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element has an equal sign&nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element has been split by equal sign into name "Domain" and value "example.com"&nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element before trim " Expires=Fri, 07-Dec-2012 21" &nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element after trim "Expires=Fri, 07-Dec-2012 21" &nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element has an equal sign&nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element has been split by equal sign into name "Expires" and value "Fri, 07-Dec-2012 21"&nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON:Detect cookie name "12" from header field "12" &nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element before trim "12" &nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON: cookie element after trim "12" &nbsp;
&nbsp;Apr 11 16:12:11 iss-bigIP-1d tmm tmm[1052]: Rule ProxyPassHTTPS_D_NoCookie : COOKIEMON:Detect cookie name "11 GMT; Path" from header field "11 GMT; Path=/" &nbsp;&nbsp;
&nbsp;What can I do about the split at the colons?&nbsp;

hooleylist · Answer

Hi, 
&nbsp;  
&nbsp; This is due to a bug described in SOL8676: 
&nbsp;  
&nbsp; sol8676: The HTTP::header values iRule command removes colon characters from header values 
&nbsp; https://support.f5.com/kb/en-us/solutions/public/8000/600/sol8676.html?sr=20641614 
&nbsp;  
&nbsp; If your web server(s) always return a single set-cookie header, you could change HTTP::header values to HTTP::header value to avoid the issue.  Or you could upgrade to v10.0+ which fixes this bug. 
&nbsp;  
&nbsp; Aaron

kjc · Answer

What happens if an app does try to set more than one cookie?

hooleylist · Answer

If the app sets multiple cookies in one Set-Cookie header using HTTP::header value Set-Cookie would work fine.  If the app sets multiple cookies in multiple Set-Cookie headers only the last Set-Cookie header would be parsed and updated for any domain rewriting that needs to be done.  If the domain of the cookies isn't updated, the client would potentially not send those cookie(s) on subsequent requests. 
&nbsp;  
&nbsp; If the workaround doesn't work for your scenario, the fix is to upgrade to 10.x.  Regardless, it would make a lot of sense to upgrade to 10.2.x as there have been a lot of fixes and new features added since 9.x. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Help with ProxyPass iRule v 8.2 and cookies

Recent Discussions

Outlook application issue

Why does WAF block HTTP OPTION method

Rewriting Location Header in iRule

HA Configuration (One in primary and One in DR)

Sending a trusted certificate to server

Related Content

URL Rewrite/ProxyPass Functionality

Cookie Tampering Protection using F5 Distributed Cloud Platform

ProxyPass for use with APM

iRule for cookie based load balancing

Proxypass in F5