Forum Discussion

Torijori_Yamamada's avatar
May 11, 2023

Removal Cookies on Client Browser

Hello

I'm trying to erase a bunc of cookies which belongs to expired session. Cookies are sending by the servers (CyberArk) and they are session cookies. Here in this scenario the F5 is used as Auth provider with an APM policy along with the load balancing. The APM policy is in LTM+APM mode so there is no webtop, connectivity profile and advanced resource assaing agent.

This is not a new deployment but after the upgrade of Cyberark software in pool members, this design started to act a bit weird. When predefined idle timeout expires on CyberArk, the consequent requests get an error message on client and client sees an empty white page. After claening every thing (Ctrl+Shift+Del or using incognito mode) on the browser the problem vanishes.

According to Cyberark support, the client sends a token that is not valid anymore. We identified some cookies that look like carrying these tokens and we wrote an irule to tell the client for clean all those subjected cookies when an APM session started.

Seems like the iRule sends all needed cleaning declarations to the client browser and we saw all those cookies removed from cookie store of browser. But somehow some of them (CA11111, CA22222 and CA66666) is still carrying old token informations.

According to my google-fu, there is no special removing methods besides mine. Also, found no information about that whether need to specify all those attributes used at the set-cookie moment as well while removing them. I mean those "domain=", "path=", "secure" and other attributes sent by server along with cookie at the beginning. 

The cookies sent by server:

  • Set-Cookie: CA33333=; path=/PasswordVault/; SameSite=Strict; secure; HttpOnly
  • Set-Cookie: __AntiXsrfToken=; expires=Tue, 11-May-1993 08:57:48 GMT; path=/; secure; HttpOnly
  • Set-Cookie: CA44444=64D55E4839F5ED0032A7D0A7863EB07336F49030; path=/PasswordVault/; SameSite=Strict; secure; HttpOnly
  • Set-Cookie: CA11111=00000002531296421D1226B831C822BA3BEE6FD4245F97F9A49C4C416052B0EC975B1B0C00000000; path=/PasswordVault/; SameSite=Strict; secure; HttpOnly
  • Set-Cookie: CA22222=A1AC061D681C256A9DDF259B64D55E4839F5ED0032A7D0A7863EB07336F49030; path=/PasswordVault/; SameSite=Strict; secure; HttpOnly
  • Set-Cookie: CA55555=cyberark; path=/PasswordVault/; SameSite=Strict; secure
  • Set-Cookie: CA66666=jjxH6-chSXEEGbEjXXl7gyZv8xtT1XfiWqaUz7FPTVqntHw0AfdtPowY5YM0TJv5RHhFJPgoN1Oly2AJzxicXX5RroibSQeh1b4Ua_PTbA3L4fjEVTin3TXQ0bK9PU-VO6koC5iPZ0tOehb8AijWe0zJKaPJ_2hbqIBjgxVsitpxv3VBgXxEFqYQ9If8sE4o2wYS00mu0gVjRZKS9KSVLrbZPDVve0PgNT2alYsAv8Ic1O3mfqkgEYuAuJMndKMxGmE-7ehbwZX373XionLWaq3Viz67yk6UUH8qYCKhf2gpSnkh5PO-u9_e2M5O8uYYEVpTcA4O50Q0IAeU_V4zsg2; path=/PasswordVault/; SameSite=None; secure
  • Set-Cookie: 6a5a355a-0547-40ce-9770-fc22d1f3bbea=8096DBD1E9E9ECF050757DDD2538169332D568558048455B5EC4A9CCB22A74F285F74A13FFF1DAC916C7558EBB15FD0F5EE388C0200435FA4822BD64B5833B0F824A23313EDBDDF519B5170AC7F177FF8D85DF020BEDDD01767EE977A710D5DB3DD6FE3D8A7C0D26442CE3EA472FD456FE69930D39769576D155C488AB79BB08818D36C8253800517365B75AF827BBF6; path=/PasswordVault/; secure; HttpOnly; SameSite=Lax

My iRule:

when CLIENT_ACCEPTED {
    set status 0
    ACCESS::restrict_irule_events disable
}
 
when ACCESS_SESSION_STARTED {
    set status 1
}
 
when HTTP_RESPONSE_RELEASE {
    if { $status == 1 } {
        
        HTTP::header insert "Set-Cookie" "CA11111=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"
        HTTP::header insert "Set-Cookie" "CA22222=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"
        HTTP::header insert "Set-Cookie" "CA33333=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"
        HTTP::header insert "Set-Cookie" "CA44444=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"
        HTTP::header insert "Set-Cookie" "CA55555=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"
        HTTP::header insert "Set-Cookie" "CA66666=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"
        HTTP::header insert "Set-Cookie" "6a5a355a-0547-40ce-9770-fc22d1f3bbea=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"
        HTTP::header insert "Set-Cookie" "pam_persist=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/"
}

My questions are:

  1. Is there any specific requirement to delete a cookie or can i use above iRule to erase all of them?
  2. Should i specify all those attributes along with the cookies while deleting?
  3. Some of the above cookies send from server when a specific request made by client. While deleting them is there any specific rule/policy to follow? Like deleting the cookie at the request sent by client.
  4. I tried to use "HTTP::cookie remove" method but somehow i did not see any delete (Set-Cookie header) message coming from F5 for cookies. How "HTTP::cookie remove" method actually deletes a cookie?
  5. This is for the APM specialists. In a LTM+APM policy, is there any way to determine the moment of the session expiration happend and initiate a HTTP response for cookie clean message to the client?

Thanks advance.

 

  • Hello again.

    Apparently, in order to delete a cookie, you have to specify all properties of the subjected cookie which defined at the first place.

    For example:

    HTTP::header insert "Set-Cookie" "CA66666=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/PasswordVault/;SameSite=none;secure;HttpOnly"
  • Torijori_Yamamada This seems like more of a persistence issue rather than the cookie itself being from the server. If you don't have UIE persistence configured and referencing the cookie that CyberArk issues I would start with that first to see if it resolves your issue. The F5 should take the cookie provided by the server and maintain persistence off of that cookie. The following article should get you moving in the right direction.

    https://my.f5.com/manage/s/article/K7392

    • Hello

      I suspected it first and tried with single member in pool and there was no change in behavior.

  • Hello again.

    Apparently, in order to delete a cookie, you have to specify all properties of the subjected cookie which defined at the first place.

    For example:

    HTTP::header insert "Set-Cookie" "CA66666=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/PasswordVault/;SameSite=none;secure;HttpOnly"