Forum Discussion

mjbeadle's avatar
mjbeadle
Icon for Nimbostratus rankNimbostratus
Jul 19, 2013

Issue with iRule adding secure cookie flag

I am using the common iRule for setting the secure cookie flag on each cookie-

 

when HTTP_RESPONSE {

 

set cookies [HTTP::cookie names]

 

Loop through each cookie by name in request

 

foreach aCookie $cookies {

 

Replace cookie name from list and set Secure Flag to Enable

 

HTTP::cookie secure $aCookie enable

 

}

 

}

 

 

The issue comes up when there is a cookie whose data has a space in it. The iRule appears to truncate the cookie at the space.

 

cookie=CGI&SPONSOR_UserRole=Information Services&SPONSOR

 

Any thoughts on how to met the iRule to process this cookie correctly?

 

 

Thanks-

 

 

Mike

 

 

 

 

application delivery
dev
devops
iRules

6 Replies

  • mjbeadle's avatar
    mjbeadle
    Icon for Nimbostratus rankNimbostratus
    Jul 19, 2013
    Well, it looks like the space breaks it reading the cookie. I changed the irule to log the cookie instead of add the flag and I see a cookie with name Services&SPONSOR (the text after the space. Is there any way to work around this on the F5 or will it have to be a change in the site?

     

     

    Mike
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 20, 2013
    If you add in some logging, what do you see? 

    
when HTTP_RESPONSE {
set cookies [HTTP::cookie names]
 Loop through each cookie by name in request
foreach aCookie $cookies {
log local0. "$aCookie = [HTTP::cookie value $aCookie]"
 Replace cookie name from list and set Secure Flag to Enable
HTTP::cookie secure $aCookie enable
}
}

    What F5 version are you on?

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 22, 2013
    The issue comes up when there is a cookie whose data has a space in it. i thought cookie value does not contain whitespace.

    HTTP cookie

    http://en.wikipedia.org/wiki/HTTP_cookie

    anyway, it seems okay to me here.

    e.g. 

    [root@ve10:Active] config  b version|grep -iA 1 version
BIG-IP Version 10.2.4 655.0
Hotfix HF4 Edition

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.252:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_RESPONSE {
  set cookies [HTTP::cookie names]
  foreach aCookie $cookies {
    log local0. "$aCookie = [HTTP::cookie value $aCookie]"
    HTTP::cookie secure $aCookie enable
  }
}
}

 log

[root@ve10:Active] config  cat /var/log/ltm
Jul 22 17:29:54 local/tmm info tmm[26228]: Rule myrule : cookie = CGI&SPONSOR_UserRole=Information Services&SPONSOR

 trace

[root@ve10:Active] config  ssldump -Aed -nni 0.0 port 80
New TCP connection 1: 172.28.20.17(47282) <-> 172.28.19.252(80)
1374485394.6293 (0.0010)  C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.19.252
Accept: */*

---------------------------------------------------------------

New TCP connection 2: 200.200.200.10(47282) <-> 200.200.200.101(80)
1374485394.6321 (0.0010)  C>S
---------------------------------------------------------------
HEAD / HTTP/1.1
User-Agent: curl/7.15.5 (i686-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: 172.28.19.252
Accept: */*

---------------------------------------------------------------

1374485394.6353 (0.0031)  S>C
---------------------------------------------------------------
HTTP/1.1 200 OK
Date: Mon, 22 Jul 2013 09:40:26 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Set-Cookie: cookie=CGI&SPONSOR_UserRole=Information Services&SPONSOR
Connection: close
Content-Type: text/html; charset=UTF-8

---------------------------------------------------------------

1374485394.6354 (0.0060)  S>C
---------------------------------------------------------------
HTTP/1.1 200 OK
Date: Mon, 22 Jul 2013 09:40:26 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Set-Cookie: cookie=CGI&SPONSOR_UserRole=Information Services&SPONSOR;secure;
Connection: close
Content-Type: text/html; charset=UTF-8

---------------------------------------------------------------
  • mjbeadle's avatar
    mjbeadle
    Icon for Nimbostratus rankNimbostratus
    Jul 22, 2013

    Running 11.3.0.

     

    I did add some logging and found that it was show a cookie with the name containing the text after the space in the first cookie.

     

  • mjbeadle's avatar
    mjbeadle
    Icon for Nimbostratus rankNimbostratus
    Jul 22, 2013

    With the string you are using to test add = to the string, so it would look something like

     

    SRS0=CGI&SPONSOR_UserRole=Information Services&SPONSOR_MLID=iaGgsohWthE%2BNvC

     

    Mike

     

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jul 22, 2013
    i think the correct way is to fix cookie value at server.

    anyway, if there is small number of cookie value containing space, you may temporarily remove (space) and add it back after securing cookie.

    e.g. 

    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar15
ltm virtual bar15 {
    destination 172.28.20.15:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vlans-disabled
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when HTTP_RESPONSE {
   remove space
  set cklist [HTTP::header values Set-Cookie]
  HTTP::header remove Set-Cookie
  foreach ck $cklist {
    HTTP::header insert Set-Cookie [string map {"Information Services" "InformationServices"} $ck]
  }

   secure cookie
  foreach aCookie [HTTP::cookie names] {
    HTTP::cookie secure $aCookie enable
  }

   add space
  set cklist [HTTP::header values Set-Cookie]
  HTTP::header remove Set-Cookie
  foreach ck $cklist {
    HTTP::header insert Set-Cookie [string map {"InformationServices" "Information Services"} $ck]
  }
}
}

 original response

[root@ve11a:Active:Changes Pending] config  curl -I http://200.200.200.101
HTTP/1.1 200 OK
Date: Mon, 22 Jul 2013 14:06:26 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Set-Cookie: SRS0=CGI&SPONSOR_UserRole=Information Services&SPONSOR_MLID=iaGgsohWthE%2BNvC
Set-Cookie: EPowerV4Users=carrefourvoyagesb2b=13_user; path=/; secure
Connection: close
Content-Type: text/html; charset=UTF-8

 response after passing bigip

[root@ve11a:Active:Changes Pending] config  curl -I http://172.28.20.15
HTTP/1.1 200 OK
Date: Mon, 22 Jul 2013 14:06:35 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: SRS0=CGI&SPONSOR_UserRole=Information Services&SPONSOR_MLID=iaGgsohWthE%2BNvC;secure;
Set-Cookie: EPowerV4Users=carrefourvoyagesb2b=13_user; path=/; secure