For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Brian_Deitch_11's avatar
Brian_Deitch_11
Historic F5 Account
Nov 15, 2012

NetScaler to F5 problems with cookies

Hey guys,

Working a project where I'm taking a netscaler VIP to the LTM. The old VIP used content switching (uri based pool section). As you may know, cookie persistence is set at the pool (serviceGroup) level on the NS, hence this iRule.

when HTTP_REQUEST {

    switch -glob [string tolower [HTTP::path]] {

    */301* { pool pool_301_8080

    persist cookie insert NSC_bgn301 "0d 00:00:00" }

    */302* { pool pool_302_8080

    persist cookie insert NSC_bgn302 "0d 00:00:00" }

    */303* { pool pool_301_8080

    persist cookie insert NSC_bgn303 "0d 00:00:00" }

    */304* { pool pool_305_8080

    persist cookie insert NSC_bgn304 "0d 00:00:00" }

        default { pool pool_whatever_80 }

        }

    }

when HTTP_RESPONSE {

  set myValues [HTTP::cookie NSC_bgn301 NSC_bgn302 NSC_bgn303 NSC_bgn304 NSC_bgn305]

  foreach mycookies $myValues {

    HTTP::cookie secure $mycookies enable

    }

}

Problem 1: Cookies NSC_bgn30X all expire after 180 seconds, not session.

Problme 2: Cookies are still not secure

Problem 3: Need to set HostOnly flag to true.

FYI:

Main Package

Product BIG-IP

Version 10.2.3

Build 123.0

Edition Hotfix HF1

Date Fri Dec 2 11:43:17 PST 2011

Any help is greatly appreciated.

Brian

application delivery
dev
devops
iRules

3 Replies

  • Brian_Deitch_11's avatar
    Brian_Deitch_11
    Historic F5 Account
    Nov 15, 2012

    I have found the root cause:

     

     

    http://support.f5.com/kb/en-us/solutions/public/11000/600/sol11679.html

     

    In short, you cannot set the persistence record to session.

     

     

    I'm going to try to rewrite the value using HTTP_RESPONSE. If I have any luck, I will communicate it out.

     

  • Brian_Deitch_11's avatar
    Brian_Deitch_11
    Historic F5 Account
    Nov 15, 2012

    Ok

     when HTTP_RESPONSE { set myValues [HTTP::cookie NSC_bgn301 NSC_bgn302 NSC_bgn303 NSC_bgn304 NSC_bgn305] foreach mycookies $myValues { HTTP::cookie secure $mycookies enable } }

    Is now:

     when HTTP_RESPONSE { set myValues [HTTP::cookie names] foreach mycookies $myValues { HTTP::cookie secure $mycookies enable HTTP::cookie expires $mycookies 0 } }

    Unfortunately the 
     HTTP::cookie expires $mycookies 0
    doesn't work. It defaults back to 180 seconds.

  • Brian_Deitch_11's avatar
    Brian_Deitch_11
    Historic F5 Account
    Nov 16, 2012
    Final workaround: 

    when HTTP_REQUEST {

switch -glob [string tolower [HTTP::path]] {
    */301* { pool pool_301_8080
      persist cookie insert NSC_bgn301 "1d 00:00:00" }
    */302* { pool pool_302_8080
      persist cookie insert NSC_bgn302 "1d 00:00:00" }
    */303* { pool pool_301_8080
      persist cookie insert NSC_bgn303 "1d 00:00:00" }
    */304* { pool pool_305_8080
      persist cookie insert NSC_bgn304 "1d 00:00:00" }
  default { pool pool_whatever_80 }
  }
}

when HTTP_RESPONSE {
  set myValues [HTTP::cookie names]
    foreach mycookies $myValues {
      HTTP::cookie secure $mycookies enable
    }
}

    Since I was unable to set the persistence timeout to 0(session), I had to set it to 1 Day (1d 00:00:00). Securing cookies now works as I had passed the wrong argument in the original post.