Forum Discussion

dipta_03_149731's avatar
dipta_03_149731
Icon for Nimbostratus rankNimbostratus
Nov 23, 2015

How to write an Irule to delete session cookies so that we can enhnace security level.

We have few admin URLs that we dont want to be accessed by a 3rd person after we logout from the application. So can we write an Irule to " set all cookies to expired state".  
BIG-IP
security
dipta_03_149731's avatar
dipta_03_149731
Icon for Nimbostratus rankNimbostratus
Nov 23, 2015

So Hannes its bit different here. We already have a page where we have put in all below things:

 

A) It causes the Reverse Proxy to kill the session B) Then it returns an HTML page to be displayed in the browser stating sesson has expired etc.

 

Now That HTML page currently includes javascript that will set all cookies to expired. Currently it is that javascript that (tries to) get rid of all the cookies. The idea with an Irule is to get rid of all cookies instead of a javascript running in the HTML page. Not only would this new approach be definitive and not affected by different javascript engines in different browsers, it would also allow us to enable httponly on all cookies.