Forum Discussion
wyuen_99269
Altostratus
AltostratusHow to search a string for multiple values and replace with another string
Inserting cookie: PHPSESSID=eur026tal67g54keu6oj5gphh6; expires=Fri, 08-May-2015 13:23:10 GMT; path=/; domain= HttpOnly
Need code to strip "HttpOnly" or "httponly"
HTTP::header insert "Set-Cookie" $cookielist($cookiename)
4 Replies
- nitass
Employee
Need code to strip "HttpOnly" or "httponly"
doesn't HTTP::cookie httponly work?
HTTP::cookie
https://devcentral.f5.com/wiki/iRules.HTTP__cookie.ashxconfiguration root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.24.10:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } rules { qux } source 0.0.0.0/0 source-address-translation { type automap } vs-index 4 } root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_RESPONSE { HTTP::cookie httponly PHPSESSID disable } } trace [root@ve11c:Active:In Sync] config ssldump -Aed -nni 0.0 port 80 New TCP connection 1: 172.28.24.8(53626) <-> 172.28.24.10(80) 1431064577.3957 (0.0016) C>S --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1l zlib/1.2.3 libidn/1.18 Host: 172.28.24.10 Accept: */* --------------------------------------------------------------- New TCP connection 2: 200.200.200.14(53626) <-> 200.200.200.101(80) 1431064577.3977 (0.0009) C>S --------------------------------------------------------------- HEAD / HTTP/1.1 User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 OpenSSL/1.0.1l zlib/1.2.3 libidn/1.18 Host: 172.28.24.10 Accept: */* --------------------------------------------------------------- 1431064577.4007 (0.0029) S>C --------------------------------------------------------------- HTTP/1.1 200 OK Date: Fri, 08 May 2015 05:37:12 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sun, 09 Feb 2014 08:39:51 GMT ETag: "41879c-59-2a9c23c0" Accept-Ranges: bytes Content-Length: 89 Set-Cookie: PHPSESSID=eur026tal67g54keu6oj5gphh6; expires=Fri, 08-May-2015 13:23:10 GMT; path=/; domain=www.supportourtroopscanada.com.; HttpOnly Content-Type: text/html; charset=UTF-8 --------------------------------------------------------------- 1431064577.4008 (0.0050) S>C --------------------------------------------------------------- HTTP/1.1 200 OK Date: Fri, 08 May 2015 05:37:12 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sun, 09 Feb 2014 08:39:51 GMT ETag: "41879c-59-2a9c23c0" Accept-Ranges: bytes Content-Length: 89 Set-Cookie: PHPSESSID=eur026tal67g54keu6oj5gphh6; expires=Fri, 08-May-2015 13:23:10 GMT; path=/; domain=www.supportourtroopscanada.com.; Content-Type: text/html; charset=UTF-8 --------------------------------------------------------------- 
wyuen_99269I am creating new cookies. At the end of the line, a string "HttpOnly" or "httponly" is added and unable to create the cookie. I wanted to string the string "HttpOnly" or "httponly" out of the cookie line.
Under is the code and if you look at "Inserting cookie" portion, it is not inserting the code.
when HTTP_RESPONSE { if { $static::ProxyPassDebug > 1 } { log local0. "$log_prefix: [HTTP::status] response from [LB::server]" }
if {$bypass} { No modification is necessary if we didn't change anything inbound so disable the stream filter if it was enabled Check if we're rewriting the response if {$static::RewriteResponsePayload} { if { $static::ProxyPassDebug > 1 } { log local0. "$log_prefix: Rewriting response content enabled, but disabled on this response." } Need to explicity disable the stream filter if it's not needed for this response Hide the command from the iRule parser so it won't generate a validation error when not using a stream profile set stream_disable_cmd "STREAM::disable" Execute the STREAM::disable command. Use catch to handle any errors. Save the result to $result if { [catch {eval $stream_disable_cmd} result] } { There was an error trying to disable the stream profile. log local0. "$log_prefix: Error disabling stream filter ($result). If you enable static::RewriteResponsePayload, then you should add a stream profile to the VIP. Else, set static::RewriteResponsePayload to 0 in this iRule." } } Exit from this event. return } Check if we're rewriting the response if {$static::RewriteResponsePayload} { Configure and enable the stream filter to rewrite the response payload Hide the command from the iRule parser so it won't generate a validation error when not using a stream profile if {$static::RewriteResponsePayload > 1} { set stream_expression_cmd "STREAM::expression \"@$host_serverside$path_serverside@$host_clientside$path_clientside@ @$path_serverside@$path_clientside@\"" } else { set stream_expression_cmd "STREAM::expression \"@$host_serverside$path_serverside@$host_clientside$path_clientside@\"" } set stream_enable_cmd "STREAM::enable" if { $static::ProxyPassDebug > 1 } { log local0. "$log_prefix: \$stream_expression_cmd: $stream_expression_cmd, \$stream_enable_cmd: $stream_enable_cmd" } Execute the STREAM::expression command. Use catch to handle any errors. Save the result to $result if { [catch {eval $stream_expression_cmd} result] } { There was an error trying to set the stream expression. log local0. "$log_prefix: Error setting stream expression ($result). If you enable static::RewriteResponsePayload, then you should add a stream profile to the VIP. Else, set static::RewriteResponsePayload to 0 in this iRule." } else { No error setting the stream expression, so try to enable the stream filter Execute the STREAM::enable command. Use catch to handle any errors. Save the result to $result if { [catch {eval $stream_enable_cmd} result] } { There was an error trying to enable the stream filter. log local0. "$log_prefix: error enabling stream filter ($result)" } else { if { $static::ProxyPassDebug > 1 } { log local0. "$log_prefix: Successfully configured and enabled stream filter" } } } } Fix Location, Content-Location, and URI headers foreach header {"Location" "Content-Location" "URI"} { set protocol [URI::protocol [HTTP::header $header]] if { $static::ProxyPassDebug > 1 } { log local0. "$log_prefix: Checking $header=[HTTP::header $header], \$protocol=$protocol" } if {$protocol ne ""} { set server_path [findstr [HTTP::header $header] $host_serverside [string length $host_serverside]] if {$server_path starts_with $path_serverside} { if { $static::ProxyPassDebug } { log local0. "$log_prefix: Changing response header $header: [HTTP::header $header] with $protocol://$host_clientside$path_clientside[substr $server_path [string length $path_serverside]]" } HTTP::header replace $header $protocol://$host_clientside$path_clientside[substr $server_path [string length $path_serverside]] } } } Rewrite any domains/paths in Set-Cookie headers if {[HTTP::header exists "Set-Cookie"]}{ array unset cookielist foreach cookievalue [HTTP::header values "Set-Cookie"] { set cookiename [getfield $cookievalue "=" 1] set namevalue "" set newcookievalue "" log local0. "CookieName = $cookiename ProxyPass" log local0. "CookieValue = $cookievalue ProxyPass" foreach element [split $cookievalue ";"] { set element [string trim $element] log local0. "Element = $element ProxyPass 1" if {$namevalue equals ""} { set namevalue $element } else { if {$element contains "="} { set elementname [getfield $element "=" 1] set elementvalue [getfield $element "=" 2] if {[string tolower $elementname] eq "domain"} { set elementvalue [string trimright $elementvalue "."] if {$host_serverside ends_with $elementvalue} { if {$static::ProxyPassDebug > 1} { log local0. "$log_prefix: Modifying cookie $cookiename domain from $elementvalue to $host_clientside ProxyPass" } set elementvalue $host_clientside } append elementvalue "." } if {[string tolower $elementname] eq "path"} { if {$elementvalue starts_with $path_serverside} { if {$static::ProxyPassDebug > 1} { log local0. "$log_prefix: Modifying cookie $cookiename path from $elementvalue to $path_clientside[substr $elementvalue [string length $path_serverside]] ProxyPass" } set elementvalue $path_clientside[substr $elementvalue [string length $path_serverside]] } } append newcookievalue "; $elementname=$elementvalue" } else { append newcookievalue "; $element" } } } set cookielist($cookiename) "$namevalue$newcookievalue" } HTTP::header remove "Set-Cookie" foreach cookiename [array names cookielist] { log local0. "Remove CookieName = $cookielist($cookiename) ProxyPass" HTTP:header insert "Set-Cookie" $cooklist($cookiename) if {$static::ProxyPassDebug > 1} { log local0. "$log_prefix: Inserting cookie: $cookielist($cookiename)" } } }}
- wyuen_99269
Cookies are unable to be generated when having HttpOnly.
- nitass
Cookies are unable to be generated when having HttpOnly.
this is mine.
irule root@(ve11c)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux ltm rule qux { when HTTP_RESPONSE { if { [HTTP::header exists "Set-Cookie"] } { array unset cookielist foreach cookievalue [HTTP::header values "Set-Cookie"] { set cookiename [getfield $cookievalue "=" 1] set namevalue "" set newcookievalue "" log local0. "CookieName = $cookiename ProxyPass" log local0. "CookieValue = $cookievalue ProxyPass" foreach element [split $cookievalue ";"] { set element [string trim $element] log local0. "Element = $element ProxyPass 1" if { $namevalue equals "" } { set namevalue $element } else { if { $element contains "=" } { set elementname [getfield $element "=" 1] set elementvalue [getfield $element "=" 2] if { [string tolower $elementname] eq "domain" } { set elementvalue [string trimright $elementvalue "."] append elementvalue "." } append newcookievalue "; $elementname=$elementvalue" } else { append newcookievalue "; $element" } } } set cookielist($cookiename) "$namevalue$newcookievalue" } HTTP::header remove "Set-Cookie" foreach cookiename [array names cookielist] { log local0. "Remove CookieName = $cookielist($cookiename) ProxyPass" HTTP::header insert "Set-Cookie" $cookielist($cookiename) log local0. "Inserting cookie: $cookielist($cookiename)" } } } } client [root@bip8:Active:Standalone] config curl -I http://172.28.24.10 HTTP/1.1 200 OK Date: Fri, 08 May 2015 06:42:12 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Sun, 09 Feb 2014 08:39:51 GMT ETag: "41879c-59-2a9c23c0" Accept-Ranges: bytes Content-Length: 89 Content-Type: text/html; charset=UTF-8 Set-Cookie: PHPSESSID=eur026tal67g54keu6oj5gphh6; expires=Fri, 08-May-2015 13:23:10 GMT; path=/; domain=www.supportourtroopscanada.com.; HttpOnly Set-Cookie: cookie1=value1; Path=/; HttpOnly /var/log/ltm [root@ve11c:Active:In Sync] config tail -f /var/log/ltm May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : CookieName = cookie1 ProxyPass May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : CookieValue = cookie1=value1; Path=/; HttpOnly ProxyPass May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : Element = cookie1=value1 ProxyPass 1 May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : Element = Path=/ ProxyPass 1 May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : Element = HttpOnly ProxyPass 1 May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : CookieName = PHPSESSID ProxyPass May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : CookieValue = PHPSESSID=eur026tal67g54keu6oj5gphh6; expires=Fri, 08-May-2015 13:23:10 GMT; path=/; domain=www.supportourtroopscanada.com.; HttpOnly ProxyPass May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : Element = PHPSESSID=eur026tal67g54keu6oj5gphh6 ProxyPass 1 May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : Element = expires=Fri, 08-May-2015 13:23:10 GMT ProxyPass 1 May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : Element = path=/ ProxyPass 1 May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : Element = domain=www.supportourtroopscanada.com. ProxyPass 1 May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : Element = HttpOnly ProxyPass 1 May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : Remove CookieName = PHPSESSID=eur026tal67g54keu6oj5gphh6; expires=Fri, 08-May-2015 13:23:10 GMT; path=/; domain=www.supportourtroopscanada.com.; HttpOnly ProxyPass May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : Inserting cookie: PHPSESSID=eur026tal67g54keu6oj5gphh6; expires=Fri, 08-May-2015 13:23:10 GMT; path=/; domain=www.supportourtroopscanada.com.; HttpOnly May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : Remove CookieName = cookie1=value1; Path=/; HttpOnly ProxyPass May 8 15:01:17 ve11c info tmm[15145]: Rule /Common/qux : Inserting cookie: cookie1=value1; Path=/; HttpOnlyI wanted to string the string "HttpOnly" or "httponly" out of the cookie line.
anyway, if you want, you may use string map to remove httponly (i.e. replace it with null).
set cookievalue [string map -nocase {"httponly" ""} $cookievalue]
