For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mnb_63148's avatar
mnb_63148
Icon for Nimbostratus rankNimbostratus
Mar 04, 2014

Is there a way to tell the cookie version via a tcpdump?

Is there a way to tell the version attribute of a cookie in a wireshark capture? When I look through a packet capture, I do not see a cookie version. I am about to deploy the following iRule to set the HTTPOnly attribute and was unsure if setting the version attribute to 1 would cause any issues.

 

I found this iRule on devcentral: https://devcentral.f5.com/wiki/iRules.HTTP__cookie.ashx I have am running version 11.3 Hotfix 8.

 

when HTTP_RESPONSE {

 

set cookieNames [HTTP::cookie names] foreach aCookie $cookieNames {

 

HTTP::cookie version $aCookie 1

 

HTTP::cookie httponly $aCookie enable

 

}

 

}

 

when HTTP_RESPONSE {

 

HTTP::cookie version myCookie 1

 

HTTP::cookie httponly myCookie enable

 

}

 

Thanks.

 

4 Replies

  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Mar 06, 2014

    I think that the only way to tell cookie version is to see what attributes are present in the cookie, and which version those attributes are valid for.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 06, 2014

    You can technically see the "version" attribute in the Set-Cookie header via TCPDUMP, but for the sake of setting the HTTPOnly attribute in an iRule, I've always had problems setting the version and expires attributes using the HTTP::cookie commands. Here's something that should provide what you need:

    when HTTP_RESPONSE {
    foreach aCookie [HTTP::cookie names] {
         if the cookie does not already have an HttpOnly attribute
        if { [HTTP::cookie httponly $aCookie] equals "disable" } {
            set value [HTTP::cookie value $aCookie]
            set path [HTTP::cookie path $aCookie]

             insert domain only if it exists
            if { [HTTP::cookie domain $aCookie] ne "" } { set domain "domain=[HTTP::cookie domain $aCookie];" } else { set domain "" }

             insert expires only if it exists
            if { [HTTP::cookie expires $aCookie] ne "" } {
                set expires_local [clock format [expr [clock seconds] + [HTTP::cookie expires $aCookie]] -format "%a, %d-%b-%Y %H:%M:%S GMT" -gmt true]
                set expires "expires=$expires_local;"
            } else {
                set expires ""
            }

             remove the original cookie
            HTTP::cookie remove $aCookie

             insert a new cookie via HTTP header inject
            HTTP::header insert "Set-Cookie" "$aCookie=$value;path=$path;${domain}${expires}HttpOnly;"
        }       
    }
}
  • mnb_63148's avatar
    mnb_63148
    Icon for Nimbostratus rankNimbostratus
    Mar 06, 2014

    Thanks, Kevin.

     

    Would it be possible to set the HTTPOnly flag without setting the version? If not, I will give your iRule a try.

     

    when HTTP_RESPONSE { set cookieNames [HTTP::cookie names] foreach aCookie $cookieNames { HTTP::cookie httponly $aCookie enable } }

     

    when HTTP_RESPONSE { HTTP::cookie httponly myCookie enable }

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Mar 06, 2014

    Using the HTTP::cookie command to set the HTTPOnly flag, you need to ensure the cookie version is at least 1. That said, I've had problems on several F5 versions getting the HTTP::cookie version command to work. The wiki uses a similar example to yours for setting HTTPOnly, and if that works on your F5 version, I'd say go for it. Otherwise my version should work across all versions.