For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ScottTS's avatar
ScottTS
Icon for Nimbostratus rankNimbostratus
Oct 01, 2013

Issue seeing session cookie in subsequent requests after being inserted using irule.

Greetings. A vendor requested that we deploy this irule for the purpose of associating connections to the same session so that they can be replayed appropriately with their tool. The irule came from the vendor and has been used by there other customers succesfully. I see the cookies, TLTSID and TLTUID being inserted by the LTM on the response and being received by the client workstation. However, i do not see the TLTSID and TLTUID cookies being sent on subsequent GET requests from the client. Since the TSTSID and TLTUID cookies are not seen in the request, the LTM irule generates and inserts new cookies on the request. I see those new cookies being sent from the LTM to the loadbalanced server(s). However, on the first payload response, the cookies are not present and yet new cookies get generated and inserted on there way back to the client. I made sure the browser is configured to accept all cookies. We also have the LTM insert a session cookie via the LTM cookie persistence profile that we use for persistence. I see that cookie present in http header and it is the same cookie seen in subsequent requests from the client. So it is working appropriately. Any help would be appreciated. thanks! Scott.

when HTTP_REQUEST { if { ([HTTP::cookie exists "TLTSID" ]) } { set tltsid "" } else { binary scan [md5 "[IP::client_addr][TCP::client_port][clock seconds][expr rand()]"] H* hex set tltsid [string toupper $hex] HTTP::cookie insert name "TLTSID" value $tltsid path "/" domain ".tld.com" } if { ([HTTP::cookie exists "TLTUID" ]) } { set tltuid "" } else { binary scan [md5 "[IP::client_addr][TCP::client_port][clock seconds][expr rand()]"] H* hex set tltuid [string toupper $hex] HTTP::cookie insert name "TLTUID" value $tltuid path "/" domain ".tld.com" } }

when HTTP_RESPONSE { if { not ( $tltsid equals "") } { HTTP::cookie insert name "TLTSID" value $tltsid path "/" domain ".tld.com" } if { not ( $tltuid equals "") } { HTTP::cookie insert name "TLTUID" value $tltuid path "/" domain ".tld.com" HTTP::cookie expires "TLTUID" 51840000 relative } }
application delivery
deployment
design
devops
iRules

2 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 02, 2013

    Silly question maybe, but are you accessing the virtual server by name (not IP), and if so is it under the ".tld.com" domain (ex. www.tld.com, foo.tld.com, etc.)?

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Oct 02, 2013

    You mentioned:

     

    I see the cookies, TLTSID and TLTUID being inserted by the LTM on the response and being received by the client workstation. However, i do not see the TLTSID and TLTUID cookies being sent on subsequent GET requests from the client

     

    which tells me that this is a client side issue. If the cookies are being sent to the browser, but the browser doesn't send them back, you can generally infer that there's probably either something wrong with the cookie, or some attribute of the cookie (path, domain, expiration, secure, httponly) that is causing the browser to not send it back. The domain attribute immediately stands out in your code. If you're setting a domain attribute in the cookie, and the browser isn't requesting something from that domain, it simply won't send back the cookie.