Forum Discussion
Steve_245
Nimbostratus
NimbostratusLooking for Feedback/Efficiency on Cookie Removal
Background: We have a homegrown portal that users log in to and then launch applications from. This portal injects a ridiculous number of cookies into the client. One or more of these cookies prevent an application from working correctly. My iRule that I quickly made to 'fix' the issue is below. Since I cannot modify the response to expire the cookies I don't want since that will break other applications if they attempt to launch them, I have to scrub any of the cookies I don't want to get to this application on every incoming request.
Question(s):
1) Aside from fixing the portal (I want to replace it with APM...we'll see) is there another avenue I should be looking at to fix this besides an iRule?
2) Can my iRule be made more efficient through using switch or data groups? I couldn't figure out how to do that since I don't know of a way to do 'not equal' or not 'starts_with' within switch or how to get the data group syntax to work. There are more cookies I have to allow than included here. I shortened it.
when HTTP_REQUEST {
set cookies [HTTP::cookie names]
log local0. "Inbound cookies are $cookies"
foreach cookie $cookies {
if { !($cookie starts_with "f5" or $cookie starts_with "" or $cookie starts_with "") }{
HTTP::cookie remove $cookie
log local0. "Removing cookie $cookie"
}
}
}
PeteWhiteEmployee
How about if you use a datagroup that has the Host header, or URI as data and a list of cookies to be removed. Match on host ( or URI ), retrieve list of cookies, loop through cookies and if matches list then remove cookie. URI-class: "/app1/user" => "cookie1;cookie2;cookie3"
eg
when HTTP_REQUEST if match class URI-class set cookies_remove [split $value ";"] foreach cookie $cookies if [lsearch $cookies_remove cookie] HTTP::cookie remove $cookie endif endforeach endif endwhen- Kai_Wilke
MVP
Hi Steve,
1.) Using an iRule is the only way to sanitize HTTP-request cookies. 2a.) If you need to whitelist less than 5 cookie names, then
is probably the best choice.[if]when HTTP_REQUEST { foreach cookie [HTTP::cookie names] { if { not ( ( $cookie starts_with "f5" ) or ( $cookie starts_with "" ) or ( $cookie starts_with "" ) or ( $cookie starts_with "" ) or ( $cookie starts_with "" ) ) } then { HTTP::cookie remove $cookie log local0. "Removing cookie $cookie" } } }2b.) If you need to whitelist more than 5 but less than 50 cookie names , then
is probably the best choice.[switch -glob]when HTTP_REQUEST { foreach cookie [HTTP::cookie names] { switch -glob -- $cookie { "f5*" - "*" - "*" - "*" - "*" - "*" - "*" - "*" - "*" - "*" { Keep the cookie... } default { HTTP::cookie remove $cookie log local0. "Removing cookie $cookie" } } } }2c.) If you need to whitelist more than 50 cookie names , then
(aka. data-groups) is probably the best choice.[class]ltm data-group internal DataGroup_Cookie_Whitelist { records { "f5" {} "" {} "" {} "" {} "" {} "" {} "" {} "" {} "" {} "" {} } type string } when HTTP_REQUEST { foreach cookie [HTTP::cookie names] { if { not ( [class match $cookie starts_with "DataGroup_Cookie_Whitelist"] ) } then { HTTP::cookie remove $cookie log local0. "Removing cookie $cookie" } } }Note: The mentioned "best-choice" is purely based on performance data. Personal preferences may result in different "best-choices" 😉
Cheers, Kai
