For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

matt_12671's avatar
matt_12671
Icon for Nimbostratus rankNimbostratus
Aug 26, 2013

How to properly insert HttpOnly and Secure cookie directives?

My load balancer has an iRule that adds the HttpOnly and Secure cookie directives. The rules is adding the directives multiple times, and in the incorrect places. How can I get the directives added c...
application delivery
devops
iRules
matt_12671's avatar
matt_12671
Icon for Nimbostratus rankNimbostratus
Sep 04, 2013

The F5 (running LTM 11.2) does not separate HTTP headers correctly, which means it also can't successfully separate HTTP Set-Cookie headers.

Given a header:

Set-Cookie: sso.auth_token=deleted; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

The LB appears to do something funny with the semicolons and/or equals signs. It thinks "Expires" and "01-Jan-1970" are also cookie names using the [HTTP::cookie names] iRule command.

Using the [HTTP::header "Set-Cookie"] command doesn't do any better. The LB also thinks strings that are not cookie headers (e.g. "Expires") actually are.

I haven't looked for an existing bug for this, but may do so in the future. If I don't find one, I'll open one.