For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

matt_12671's avatar
matt_12671
Icon for Nimbostratus rankNimbostratus
Aug 26, 2013

How to properly insert HttpOnly and Secure cookie directives?

My load balancer has an iRule that adds the HttpOnly and Secure cookie directives. The rules is adding the directives multiple times, and in the incorrect places. How can I get the directives added correctly?

The rule is:

when HTTP_RESPONSE {
    log local0. "from response uri: $uri"
    set uri [URI::query [HTTP::uri]]

    foreach cookie [HTTP::cookie names] {
        if { $uri starts_with "/sputnik" or $uri starts_with "/en-us" } {

        }
        else {
            set value [HTTP::cookie value $cookie];
                if { "" != $value } {
                    set testvalue [string tolower $value]
                    set valuelen [string length $value]
                    log local0. "Cookie found: $cookie = $value";
                    switch -glob $testvalue {
                        "*;secure*" -
                        "*; secure*" { }
                        default { set value "$value; Secure"; }
                    }
                    switch -glob $testvalue {
                        "*;httponly*" -
                        "*; httponly*" { }
                        default { set value "$value; HttpOnly"; }
                    }
                    if { [string length $value] > $valuelen} {
                        log local0. "Replacing cookie $cookie with $value"
                        HTTP::cookie value $cookie "${value}"
                    }
                }
            }
        }
    }
}
`


Cookies from the host look like:

`Set-Cookie: sso.auth_token=deleted; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
`

Cookies through the load balancer look like:

`Set-Cookie: sso.auth_token=deleted; Secure; HttpOnly; Expires=Thu,; Secure; HttpOnly 01-Jan-1970 00:00:10; Secure; HttpOnly GMT; Path=/
`

I _expect_ cookies through the load balancer to look like:


`Set-Cookie: sso.auth_token=deleted; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/; Secure; HttpOnly

Is there something in the iRule that could make it add the directives multiple times, an in the incorrect place?

I am not very familiar with F5 load balancers. If the shown iRule isn't causing the issue, where else would you recommend I look?

Addition: The iRules are running on LTM v11.2

application delivery
devops
iRules

23 Replies

Show More