Forum Discussion

EduardoSousa's avatar
EduardoSousa
Icon for Altocumulus rankAltocumulus
Nov 03, 2022

Order of cookies

Hello there We have a problem where, at some times the order of cookies in the package are reversed, I wonder if there is an irule to reverse cookies, making the application cookie available before ...
application delivery
security
  • Daniel_Wolf's avatar
    Daniel_Wolf
    Nov 13, 2022

    Hi EduardoSousa,

    you somehow did not mention in which direction you want to reverse the cookie order. From BIG-IP to browser, or from BIG-IP to backend server. Hence I presumed you want to reverse the order from BIG-IP to backend server.

    Here is my iRule:

     

    when HTTP_REQUEST_RELEASE {
    # Remove Cookie by name
     HTTP::cookie remove "BIGCookie"
     # Reverse order of Cookies
     if { [HTTP::header exists Cookie] } {
        set cookie_rev {}
        set values [split " [HTTP::header Cookie]" ";"]
        set i [llength $values]
        while {$i} {lappend cookie_rev [lindex $values [incr i -1]]}
        set cookie_fini [join $cookie_rev ";"]
        HTTP::header replace Cookie "$cookie_fini"
        unset cookie_fini
        unset cookie_rev
    }
}

     

    Browser to BIG-IP:

    BIG-IP to backend server
    BIGCookie is removed, order is reversed.

    Does this solve your issue?

    Note: The order of cookies usually should not be an issue. In my opinion reversing the order is not required. Maybe you can explain us, why you have this requirement?

    KR
    Daniel

     

     

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP

Hi EduardoSousa,

you somehow did not mention in which direction you want to reverse the cookie order. From BIG-IP to browser, or from BIG-IP to backend server. Hence I presumed you want to reverse the order from BIG-IP to backend server.

Here is my iRule:

 

when HTTP_REQUEST_RELEASE {
    # Remove Cookie by name
     HTTP::cookie remove "BIGCookie"
     # Reverse order of Cookies
     if { [HTTP::header exists Cookie] } {
        set cookie_rev {}
        set values [split " [HTTP::header Cookie]" ";"]
        set i [llength $values]
        while {$i} {lappend cookie_rev [lindex $values [incr i -1]]}
        set cookie_fini [join $cookie_rev ";"]
        HTTP::header replace Cookie "$cookie_fini"
        unset cookie_fini
        unset cookie_rev
    }
}

 

Browser to BIG-IP:

BIG-IP to backend server
BIGCookie is removed, order is reversed.

Does this solve your issue?

Note: The order of cookies usually should not be an issue. In my opinion reversing the order is not required. Maybe you can explain us, why you have this requirement?

KR
Daniel

 

 

Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP
Nov 13, 2022
Daniel_Wolf wrote:

Note: The order of cookies usually should not be an issue. In my opinion reversing the order is not required. Maybe you can explain us, why you have this requirement?

For the sake of completeness - how did I come up with this opinion:

  • HTTP State Management Mechanism
    Although cookies are serialized linearly in the Cookie header, servers SHOULD NOT rely upon the serialization order. In particular, if the Cookie header contains two cookies with the same name (e.g., that were set with different Path or Domain attributes), servers SHOULD NOT rely upon the order in which these cookies appear in the header.
  • portswigger.net - Duplicate cookies set

 

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Nov 14, 2022

    and the RFC in support of that as well on field order with HTTP...if Daniel_Wolf's response was helpful to you, can you mark it as solved, EduardoSousa? Thanks...Jason