Forum Discussion
Jeff_Brinkerho1
Nimbostratus
NimbostratusiRule needed to clear specific cookies from particular domain
Recently we moved our peoplesoft system to a subdomain of our DNS space. So instead of all our VIPs being for example, prod.abc.com they are now prod.ps.abc.com
Peoplesoft uses a cookie for single-signon and some other features. The primary cookie is PS_TOKEN, but there are others as well.
This move, for the most part, was seamless. However we have a particular case generally involving Safari on mac where the browser can submit the old domain token (cookie), which will sometimes cause the browser to "loop" the guest authentication page hundreds, or thousands of times a minute.
We have demonstrated that clearing the old domain cookies will solve the issue. We have demonstrated this using a static webpage with some javascript that is hosted on an address on the old domain (abc.com). If a browser with the "old" cookie visits our page in between, then it is cleared and works. This is a rather manual solution, and redirecting everyone there before logging in would seem to be one solution - but that will not work as we have some deep links that would be broken in that case.
What I desire (and have tried to create a few ways) is an iRule to:
- Check for the existence of the cookie PS_TOKEN (and possibly others)
- Check that the cookie domain of that cookie(s) is .abc.com
- If so, delete it (or if necessary set it's expiration to -1, which is what our js had to do)
Then pass the request on through to wherever it was headed to start with. Ideally using the pool already defined for the particular virtual server.
I haven't been able to get even the basics to seem to work. So I dropped back to seeing if the cookie is even being read by the F5, so here is where I sit now:
when HTTP_REQUEST {
if {[HTTP::cookie domain "PS_TOKEN"] contains ".abc.com"} {
HTTP::respond 200 content {found abccom cookie} } else {HTTP::respond 200 content {did not find cookie} }
}
This never finds the cookie (at least it doesn't tell me it did).
Any help and direction is most appreciated.
AJ_01_135899Cirrostratus
What about a basic cookie remove, if only as a start to troubleshooting?
when HTTP_REQUEST { if {[HTTP::cookie exists "PS_TOKEN"] { if {HTTP::cookie domain "PS_TOKEN" contains "abc.com"}{ HTTP::cookie remove "PS_TOKEN" } } }
Jeff_Brinkerho1I tried something very similar based on an example I found. Unfortunately it does not appear to remove the cookie (from the browser side). Watching with the dev console in chrome or IE, the cookie is still there with.
Oh, and "contains" for the evaluation won't work - as we moved to a subdomain. So it has to be "equals". Did I screw something up with this try?:
when HTTP_REQUEST { Check to be sure the cookie in question exists.
if { [info exists [HTTP::cookie PS_TOKEN]] } {
Now check to see if the domain is .abc.com set cookieDomain [HTTP::cookie domain "PS_TOKEN"] if { $cookieDomain == ".abc.com" } { if so, delete the cookies
HTTP::cookie remove PS_TOKEN HTTP::cookie remove PS_TOKENEXPIRE HTTP::cookie remove PS_LOGINLIST HTTP::cookie remove ExpirePage HTTP::cookie remove SignOnDefault HTTP::cookie remove pgltHPReload } } HTTP::redirect [HTTP::host][HTTP::uri] }- Jeff_Brinkerho1
How do I post "code" on here, I cant seem to find the correct way....
when HTTP_REQUEST { Check to be sure the cookie in question exists. if { [info exists [HTTP::cookie PS_TOKEN]] } { Now check to see if the domain is .syr.edu set cookieDomain [HTTP::cookie domain "PS_TOKEN"] if { $cookieDomain == ".syr.edu" } { if so, delete the cookies HTTP::cookie remove PS_TOKEN HTTP::cookie remove PS_TOKENEXPIRE HTTP::cookie remove PS_LOGINLIST HTTP::cookie remove ExpirePage HTTP::cookie remove SignOnDefault HTTP::cookie remove pgltHPReload } } HTTP::redirect https://ptl9unit.ps.syr.edu[HTTP::uri] } - Jeff_Brinkerho1
Ahh got it...
- AJ_01_135899What did it end up being? Digging further it looks like you'd have to do this on the HTTP_RESPONSE as well?
- Jeff_Brinkerho1
Actually, NO I didnt get it.. Bad choice or words. I meant I figured out how to post code on here... I tried to erase that comment as its not clear.
Yes, I have dug around on this for a day +, Not sure if I have to do the remove on the response? But not sure how to do that with the goal of making this "transparent".
- AJ_01_135899
I did see a prior post about removing it on the response:
https://devcentral.f5.com/questions/irule-for-cookie-removal
It states: "If you want the client to delete a cookie you'd need to tell it to in the response. Using HTTP::cookie remove in HTTP_REQUEST is going to remove the cookie from the request that is proxied to the pool--it wouldn't have any effect on the client."
So, something like:
when HTTP_RESPONSE { if {[HTTP::cookie exists "PS_TOKEN"] { if {HTTP::cookie domain "PS_TOKEN" contains "abc.com"}{ HTTP::cookie remove "PS_TOKEN" } } }Obviously may need to tweak slightly, as I haven't tested it.
Stanislas_Piro2Cumulonimbus
Hi,
the HTTP::cookie remove command on HTTP_RESPONSE event does not remove cookie on client browser but only on the answer. if the browser does not receive cookie update, it will not remove it.
to force removal of cookie on client browser, you need to force expiration of it by changing the expiration date:
when HTTP_REQUEST { if {[HTTP::cookie exists "PS_TOKEN"] { HTTP::respond 302 noserver Location "https://[HTTP::host][HTTP:uri]" Connection close Set-Cookie "PS_TOKEN=deleted;secure;expires=Thu, 01 Jan 1970 00:00:00 GMT" } }or
when HTTP_RESPONSE { if {[HTTP::cookie exists "PS_TOKEN"] { if {HTTP::cookie domain "PS_TOKEN" contains "abc.com"}{ HTTP::cookie remove "PS_TOKEN" HTTP::header insert Set-Cookie "PS_TOKEN=deleted;secure;expires=Thu, 01 Jan 1970 00:00:00 GMT" } } }