Forum Discussion

osb_177194's avatar
osb_177194
Icon for Nimbostratus rankNimbostratus
Apr 17, 2015

httponly cookie flag

Hi,

 

I try to use this Irule but when I enable the httponly option the VS is not working:

 

when HTTP_RESPONSE {

 

HTTP::cookie version 1 HTTP::cookie secure enable HTTP::cookie domain HTTP::cookie httponly enable }

 

If i use HTTP::header I lose persistency between the nodes in the pool:

 

when HTTP_RESPONSE { set ck [HTTP::header values "Set-Cookie"] foreach acookie $ck { if {$acookie starts_with ""} { HTTP::header replace "Set-Cookie" "${acookie}; HttpOnly; Secure" } } }

 

Any help please? Thanks

 

application delivery
deployment
devops
iRules
LTM
security

2 Replies

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 19, 2015

    If i use HTTP::header I lose persistency between the nodes in the pool:

     

    have you seen cookie in subsequent requests?

     

  • David_Stout's avatar
    David_Stout
    Icon for Nimbostratus rankNimbostratus
    Apr 20, 2015

    I use this iRule. If you are running Version 11 code you can remove the hash in front of the marked line. HTTPOnly is only available in V11. It doesn't affect persistence.

     

    when RULE_INIT {

     Cookie name prefix
    set static::ck_pattern "BIGipServer*"

     Log debug to /var/log/ltm? 1=yes, 0=no)
    set static::ck_debug 0

     Cookie encryption passphrase
     Change this to a custom string!
    set static::ck_pass "somesecurepass1234"
}
when HTTP_REQUEST {

    if {$static::ck_debug}{log local0. "Request cookie names: [HTTP::cookie names]"}

     Check if the cookie names in the request match our string glob pattern
    if {[set cookie_names [lsearch -all -inline [HTTP::cookie names] $static::ck_pattern]] ne ""}{

         We have at least one match so loop through the cookie(s) by name
        if {$static::ck_debug}{log local0. "Matching cookie names: [HTTP::cookie names]"}
        foreach cookie_name $cookie_names {

             Decrypt the cookie value and check if the decryption failed (null return value)
            if {[HTTP::cookie decrypt $cookie_name $static::ck_pass] eq ""}{

                 Cookie wasn't encrypted, delete it
                if {$static::ck_debug}{log local0. "Removing cookie as decryption failed for $cookie_name"}
                HTTP::cookie remove $cookie_name
            }
        }
        if {$static::ck_debug}{log local0. "Cookie header(s): [HTTP::header values Cookie]"}
    }
}
when HTTP_RESPONSE {

    if {$static::ck_debug}{log local0. "Response cookie names: [HTTP::cookie names]"}

     Check if the cookie names in the request match our string glob pattern
    if {[set cookie_names [lsearch -all -inline [HTTP::cookie names] $static::ck_pattern]] ne ""}{

         We have at least one match so loop through the cookie(s) by name
        if {$static::ck_debug}{log local0. "Matching cookie names: [HTTP::cookie names]"}
        foreach cookie_name $cookie_names {

             Encrypt the cookie value
            HTTP::cookie encrypt $cookie_name $static::ck_pass
                        HTTP::cookie secure $cookie_name enable
 added in V11 code     HTTP::cookie httponly $cookie enable
        }
        if {$static::ck_debug}{log local0. "Set-Cookie header(s): [HTTP::header values Set-Cookie]"}
    }
}