Forum Discussion

Bryce_Halkerst1's avatar
Bryce_Halkerst1
Icon for Nimbostratus rankNimbostratus
Jun 20, 2013

LTM 11.1.0 Cookie httponly flag TCL errors

All,

 

Have deploy cookie httponly flag for PCI compliance. New irule takes down the website when applied. I am running http classes and i had to do httpclass disable for other irules. Has anyone run into this issue?

 

Thanks,

 

Bryce

 

when HTTP_RESPONSE {

 

 

Check if the response contains the persistence cookie

 

if {[HTTP::cookie BIGipServerWeblogic_Pool_STAGING] ne ""}{

 

 

Set the httponly flag on the persistence cookie if it is in the response

 

HTTP::cookie httponly BIGipServerWeblogic_Pool_STAGING enable

 

}

 

}

 

TCL Errors

 

Jun 19 18:07:14 tmm2 err tmm2[8165]: 01220001:3: TCL error: /Common/BBB_Staging_Cookie_Flag - Improper version (line 7) invoked from within "HTTP::cookie httponly BIGipServerWeblogic_Pool_STAGING enable"

 

Jun 19 18:07:14 tmm err tmm[8163]: 01220001:3: TCL error: /Common/BBB_Staging_Cookie_Flag - Improper version (line 1) invoked from within "HTTP::cookie httponly BIGipServerWeblogic_Pool_STAGING enable"

 

Jun 19 18:07:17 tmm2 err tmm2[8165]: 01220001:3: TCL error: /Common/BBB_Staging_Cookie_Flag - Improper version (line 5) invoked from within "HTTP::cookie httponly BIGipServerWeblogic_Pool_STAGING enable"

 

Jun 19 18:07:29 tmm3 err tmm3[8166]: 01220001:3: TCL error: /Common/BBB_Staging_Cookie_Flag - Improper version (line 7) invoked from within "HTTP::cookie httponly BIGipServerWeblogic_Pool_STAGING enable"

 

 

 

application delivery
dev
devops
iRules

5 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jun 20, 2013
    Hey Bryce,

    Sorry for the slow reply on this. I got sidetracked. Because HttpOnly can only be set for cookies with version 1 or 2 and the default version is 0, this is probably the cause of the problem. Can you set the version to 1 first: 

    
 Set HttpOnly on all LTM and app generated cookies
when HTTP_RESPONSE {
   set cookieNames [HTTP::cookie names]
   foreach aCookie $cookieNames {
      HTTP::cookie version $aCookie 1
      HTTP::cookie httponly $aCookie enable
   }
}

 Or just for one statically defined cookie:
when HTTP_RESPONSE {
   HTTP::cookie version myCookie 1
   HTTP::cookie httponly myCookie enable
}

    Aaron
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Jun 21, 2013
    i got illegal argument error on HTTP::cookie version. 

    Jun 21 14:27:01 ve11a err tmm1[10969]: 01220001:3: TCL error: /Common/myrule  - Illegal argument (line 1)     invoked from within "HTTP::cookie version BIGipServerfoo 1"

    so, i remove cookie and add it back later.

    e.g. 

    [root@ve11a:Active:Changes Pending] config  tmsh list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.16:80
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        cookie {
            default yes
        }
    }
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vlans-disabled
}
[root@ve11a:Active:Changes Pending] config  tmsh list ltm rule myrule
ltm rule myrule {
    when HTTP_RESPONSE {
  if { [HTTP::cookie BIGipServerfoo] ne "" } {
    set ck_value [HTTP::cookie value BIGipServerfoo]
    set ck_path [HTTP::cookie path BIGipServerfoo]
    HTTP::cookie remove BIGipServerfoo
    HTTP::cookie insert name BIGipServerfoo value $ck_value path $ck_path version 1
    HTTP::cookie httponly BIGipServerfoo enable
  }
}
}

[root@ve11a:Active:Changes Pending] config  curl -I http://172.28.20.16
HTTP/1.1 200 OK
Date: Fri, 21 Jun 2013 06:58:06 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServerfoo=1707657416.20480.0000;HttpOnly;Path=/;Version=1;
  • Bryce_Halkerst1's avatar
    Bryce_Halkerst1
    Icon for Nimbostratus rankNimbostratus
    Jun 24, 2013
    Aaron,

     

    Thanks for you quick response. I just need the httponly flag for 2 cookies. Going to perform the following iRule on staging.

     

    Thanks,

     

    Bryce

     

     

    when HTTP_RESPONSE {

     

     

    Check if the response contains the Foo cookie

     

    if {[HTTP::cookie BIGipServerWeblogic_Foo] ne ""}{

     

    HTTP::cookie version BIGipServerWeblogic_Foo 1

     

    HTTP::cookie httponly BIGipServerWeblogic_Foo enable }

     

     

    Check if the response contains the FooBoo cookie

     

    if {[HTTP::cookie FooBoo] ne ""}{

     

    HTTP::cookie version FooBoo 1

     

    HTTP::cookie httponly FooBoo enable }

     

     

    }

     

    }
  • galky_104921's avatar
    galky_104921
    Icon for Nimbostratus rankNimbostratus
    Jan 14, 2014

    I get the same error - illegal argument error on HTTP::cookie version. Any solution?

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Mar 31, 2015
      have you read the replies above, one solution would be to set the version. did that work for you?