For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

East_Coast_1151's avatar
East_Coast_1151
Icon for Nimbostratus rankNimbostratus
Oct 09, 2013

How to delete cookies with random names?

Hello,

I have a Web app that uses random cookie names that appear at different Web pages. I want to flush these cookies at logoff time.

Currently I am using the following irule.

Is there a more optimal way to do this?

Thank you

  when HTTP_REQUEST { 

     Capture cookie names 
    set cookies [HTTP::cookie names] 
    foreach cookie $cookies { 
      if {not ($cookie_list contains $cookie) } { 
         set cookie_list "$cookie $cookie_list" 
      } 
    }

     Store the cookie list in a session variable
    ACCESS::session data set session.custom.cookie_list $cookie_list 
  }

  when HTTP_RESPONSE { 

     Check if the logoff processing flag is set 
    if { $logoff == 1 } {

       Remove all captured cookies
      set cookies [split [ACCESS::session data get session.custom.cookie_list] " "]
      foreach cookie $cookies {
        if { not ($cookie equals "") } {
          HTTP::header insert Set-Cookie "$cookie=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT"
        }
      }

    }
  }
application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
security

3 Replies

  • JG's avatar
    JG
    Icon for Cumulonimbus rankCumulonimbus
    Oct 09, 2013

    Can't the app be made to clean after itself?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 10, 2013

    There's conceivably two ways to do this. You could simply collect the cookies that the client sends in the request that signals the logoff sequence into a local variable. Because the HTTP_RESPONSE event should fire in the same TCP session you'd have access to that local variable and could use it to delete the (known) cookies. Example:

    when HTTP_REQUEST {
    if { [HTTP::uri] equals "/logoff.php" } {
        set logoff 1
        set incoming_cookies [HTTP::cookie names]
    }
}   
when HTTP_RESPONSE {
    if { [info exists logoff] } {
        foreach x $incoming_cookies {
            HTTP::header insert Set-Cookie "$x=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT"
        }
    }
}

    I say "known" cookies because it will only catch the cookies that the browser sends on that specific request. There could be others based on cookie path, domain, httponly, and secure attributes. To get those, you'd probably need to capture them as they're sent (via Set-Cookie header) and store them somewhere - like the APM session table. This method could get a bit more complex though, for example, if the application sent the same or a modified version of its cookies on every response. You wouldn't want to store all of those potentially redundant cookies, so you'd need to search for and replace the old ones in your table, and for each response.

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Oct 10, 2013

    Make sure to unset logoff or set it to 0 if you're setting it in HTTP_REQUEST to avoid removing the cookies on subsequent requests on the same TCP connection:

    when HTTP_REQUEST {
    if { [HTTP::uri] equals "/logoff.php" } {
        set logoff 1
        set incoming_cookies [HTTP::cookie names]
    } else {
        set logoff 0    
    }
}   
when HTTP_RESPONSE {
    if { $logoff==0 } {
        foreach x $incoming_cookies {
            HTTP::header insert Set-Cookie "$x=deleted; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT"
        }
    }
}

    Aaron