Forum Discussion

Dave_Burnett_20's avatar
Dave_Burnett_20
Icon for Nimbostratus rankNimbostratus
Nov 10, 2008

Modified Domain Cookie blocking

We have recently installed a pair of F56400s (v9.4.3) in front of our website with ASM in blocking mode.     Despite the fact that our Website only utilises a handful of cookies (all confi...
app sec
BIG-IP Access Policy Manager (APM)
security
hooleylist's avatar
hooleylist
Icon for Cirrostratus rankCirrostratus
Dec 13, 2010
That looks like it should work. You could add logging to see what's happening. If it's a production virtual server, try adding the logging just for your client IP.

You could combine the two iRules so you only loop through the cookies once: 


when CLIENT_ACCEPTED {

    Check if the client is our test IP
   if {[IP::addr [IP::client_addr] equals 1.2.3.4]}{
      if {$debug}{log local0. "Debug enabled for [IP::client_addr]"}
      set debug 1
   } else {
      set debug 0
   }
}
when HTTP_REQUEST {

   if {$debug}{log local0. "\[HTTP::cookie names\]: [HTTP::cookie names]"}

    Loop through each cookie by name
   foreach acookie [HTTP::cookie names] {

       Check if cookie starts with bcsi or _em_
      if {[string match -nocase "bcsi-*" $acookie] or [string match -nocase "_em_*" $acookie]}{

         if {$debug}{log local0. "Removing cookie $cookie: [HTTP::cookie value $cookie]"}

          Remove cookie
         HTTP::cookie remove $acookie
      }
   }
}

Aaron