For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

matt_12671's avatar
matt_12671
Icon for Nimbostratus rankNimbostratus
Aug 26, 2013

How to properly insert HttpOnly and Secure cookie directives?

My load balancer has an iRule that adds the HttpOnly and Secure cookie directives. The rules is adding the directives multiple times, and in the incorrect places. How can I get the directives added c...
application delivery
devops
iRules
nitass_89166's avatar
nitass_89166
Icon for Noctilucent rankNoctilucent
Aug 26, 2013

can you try to change "Expires" to "expires"? you may use irule similar to the following to change it.

e.g.

root@ve10(Active)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.19.252:http
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    snat automap
}
root@ve10(Active)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:http { }
    }
}
root@ve10(Active)(tmos) list ltm rule myrule
ltm rule myrule {
    when HTTP_REQUEST {
  set uri [string tolower [HTTP::path]]
}
when HTTP_RESPONSE priority 100 {
  set setckval [HTTP::header values "Set-Cookie"]
  HTTP::header remove "Set-Cookie"
  foreach asetckval $setckval {
    HTTP::header insert "Set-Cookie" [string map {Expires expires} $asetckval]
  }
}
when HTTP_RESPONSE {
  if { $uri starts_with "/sputnik" or $uri starts_with "/en-us" } {
  } else {
    foreach cookie [HTTP::cookie names] {
      set value [HTTP::cookie value $cookie];
      if { "" != $value } {
        set testvalue [string tolower $value]
        set valuelen [string length $value]
        switch -glob $testvalue {
          "*;secure*" -
          "*; secure*" { }
          default { set value "$value; Secure"; }
        }
        switch -glob $testvalue {
          "*;httponly*" -
            "*; httponly*" { }
            default { set value "$value; HttpOnly"; }
        }
        if { [string length $value] > $valuelen} {
          HTTP::cookie value $cookie "${value}"
        }
      }
    }
  }
}
}

 to server directly

[root@ve10:Active] config  curl -I http://200.200.200.101
HTTP/1.1 200 OK
Date: Mon, 26 Aug 2013 02:09:30 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Set-Cookie: sso.auth_token=deleted; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anothercookie=something; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Content-Type: text/html; charset=UTF-8

 via virtual server

[root@ve10:Active] config  curl -I http://172.28.19.252
HTTP/1.1 200 OK
Date: Mon, 26 Aug 2013 02:09:36 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Content-Type: text/html; charset=UTF-8
Set-Cookie: sso.auth_token=deleted; Secure; HttpOnly; expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: anothercookie=something; Secure; HttpOnly; expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
matt_12671's avatar
matt_12671
Icon for Nimbostratus rankNimbostratus
Sep 04, 2013
Ah, I mis-understood what your iRule was doing. After further debugging, I think the issue is with the [HTTP::header values "Set-Cookie"] and [HTTP::cookie names] commands.