For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

IT's avatar
IT
Icon for Nimbostratus rankNimbostratus
16 years ago

Persistence problem after modifying Set-Cookie

Hi,

 

We use cookie persistence on a VS in front of some tomcat servers.

 

Our goal is to add the domain at the end of every cookie in an HTTP response (BIGIP cookie, JSESSIONID cookie...)

 

So we have developped our first iRule, here is the code :

 

 

when HTTP_REQUEST {

 

set host [HTTP::host]

 

}

 

when HTTP_RESPONSE {

 

if { [HTTP::header exists "Set-Cookie"] } {

 

extract main domain name

 

set domain $host

 

set domain_parts [split $domain "."]

 

set domain_parts_count [llength $domain_parts]

 

set reduced_domain_parts [lrange $domain_parts [expr $domain_parts_count - 3] [expr $domain_parts_count - 1]]

 

set new_domain "; domain="

 

foreach part $reduced_domain_parts {

 

append new_domain "."

 

append new_domain $part

 

}

 

 

get the cookies

 

set cookies [HTTP::header values "Set-Cookie"]

 

remove the old cookies

 

HTTP::header remove Set-Cookie

 

foreach cookie $cookies {

 

set new_cookie $cookie

 

add the domain at the end of each cookie

 

append new_cookie $new_domain

 

add the cookie to the response

 

HTTP::header insert Set-Cookie $new_cookie

 

}

 

}

 

}

 

 

On a test VS, this works just fine, the cookie is correctly modified, no problem.

 

But when we put this iRule on our production VS, our users experienced disconnections. analysing the http stream, we saw that each response contains a new Set-Cookie: BIGIPServeur=xxx that is different for the cookie in the request. we have even seen request with two BIGIPServeur cookies.

 

 

Does anyone have a clue why this happens?

 

 

Thanks a lot!

 

application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    16 years ago
    That's a lot of processing. I think you could use a couple of inbuilt commands to do this much easier: 

    
when HTTP_RESPONSE { 

    Loop through each response cookie by name
   foreach aCookie [HTTP::cookie names] { 

       Set the domain on the cookie to .example.com
      HTTP::cookie domain $aCookie ".example.com"
   }
}

    Can you give this a try and see if it works for your two virtual servers?

    Thanks, Aaron
  • IT's avatar
    IT
    Icon for Nimbostratus rankNimbostratus
    16 years ago
    Thanks for the quick answer.

     

    we have indeed simplified the irule thanks to your code, but alas we can't make it that simple. The thing is we have customers that connects to our servers via CNAME redirections, so the domain name they use is not ours, we can't hardcode it on the response. that's why we get it in the request. Is it the proper way to do so?

     

     

    We may have figured what happens : we have activated this irule only for our http domain, not for the https, so the redirection messes up the cookie.

     

     

    we're gonna test it again really soon in production, so if you think it won't work, let me know!

     

     

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    16 years ago
    Are you trying to set the domain on response cookies to the exact requested domain from the HTTP host header or just the base domain? You could parse the domain from the requested host header value using the domain command and then use that saved value in HTTP_RESPONSE to set them.

     

     

    http://devcentral.f5.com/wiki/default.aspx/iRules/domain

     

     

    Also, are there any cookies being set on the HTTPS VS? If so, you should use the same iRule on both the HTTP and HTTPS VS.

     

     

    Aaron