For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Miller's avatar
Chris_Miller
Icon for Altostratus rankAltostratus
Aug 09, 2010

Rewrite Existing Client Cookie

Let's say a client has a cookie called "sample" with a value of "1" Can an F5 replace the value of the cookie on the client machine? I know it can insert a new cookie with the same name and different value but am unsure of how to replace it.
application delivery
dev
devops
iRules

8 Replies

  • naladar_65658's avatar
    naladar_65658
    Icon for Altostratus rankAltostratus
    Aug 09, 2010
    I think something like this would allow you to change the cookie value. Sorry, I don't have a good way to test this out at the moment. 

    
when HTTP_REQUEST {

 Check if the cookie exists in request
if { [HTTP::cookie exists "cookie-name"] } {

 Change cookie's value
HTTP::cookie [value]  [string]
   }
}
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Aug 09, 2010
    Posted By naladar on 08/09/2010 11:42 AM

    I think something like this would allow you to change the cookie value. Sorry, I don't have a good way to test this out at the moment. 

    when HTTP_REQUEST {

 Check if the cookie exists in request
if { [HTTP::cookie exists "cookie-name"] } {

 Change cookie's value
HTTP::cookie [value]  [string]
   }
}

    Since this is in the HTTP_REQUEST event, this would just be replacing it from the F5 to the pool member, right?
  • naladar_65658's avatar
    naladar_65658
    Icon for Altostratus rankAltostratus
    Aug 09, 2010
    That is correct. To modify the cookie coming from the server going to the client you would have to use when HTTP_RESPONSE. Here is a good URL for a Wiki article talking about encrypting cookies, in which they describe how to change the values of the cookies.
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Aug 09, 2010
    Posted By naladar on 08/09/2010 12:19 PM

     

    That is correct. To modify the cookie coming from the server going to the client you would have to use when HTTP_RESPONSE. Here is a good URL for a Wiki article talking about encrypting cookies, in which they describe how to change the values of the cookies.

     

     

    I think you may have forgotten the link. :-P
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 09, 2010
    From RFC2109:

     

     

     

    4.3.3 Cookie Management

     

     

     

    If a user agent receives a Set-Cookie response header whose NAME is

     

    the same as a pre-existing cookie, and whose Domain and Path

     

    attribute values exactly (string) match those of a pre-existing

     

    cookie, the new cookie supersedes the old. However, if the Set-

     

    Cookie has a value for Max-Age of zero, the (old and new) cookie is

     

    discarded. Otherwise cookies accumulate until they expire (resources

     

    permitting), at which time they are discarded.

     

     

     

    So you can overwrite an existing cookie value by setting a new cookie with the same name, domain and path as the prior cookie. You can do this in HTTP_RESPONSE using HTTP::cookie insert name < name > value < value >.

     

     

    Aaron
  • Chris_Miller's avatar
    Chris_Miller
    Icon for Altostratus rankAltostratus
    Aug 09, 2010
    Posted By hoolio on 08/09/2010 02:49 PM

    From RFC2109:

    4.3.3 Cookie Management

    If a user agent receives a Set-Cookie response header whose NAME is

     

    the same as a pre-existing cookie, and whose Domain and Path

     

    attribute values exactly (string) match those of a pre-existing

     

    cookie, the new cookie supersedes the old. However, if the Set-

    Cookie has a value for Max-Age of zero, the (old and new) cookie is

    discarded. Otherwise cookies accumulate until they expire (resources

    permitting), at which time they are discarded.

    So you can overwrite an existing cookie value by setting a new cookie with the same name, domain and path as the prior cookie. You can do this in HTTP_RESPONSE using HTTP::cookie insert name < name > value < value >.

    Aaron

    Thanks as always! I'm currently doing just this but have noticed my browser showing multiple cookies and as I use the "expire at browser close" default, I wasn't entirely sure how the F5 would handle a user with 2 "example" cookies. So, if I have an iRule like the following: 
    when HTTP_REQUEST {
if {  [HTTP::cookie "example"] eq 1 } {
pool 1 
} elseif { [HTTP::cookie "example"] eq 2 } {
pool 2 } 
}
    and the user has 2 "example" cookies, with the most recently inserted being "2", it would send the user to pool 2?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Aug 10, 2010
    Based on a little experience with this and reading the RFC, if you're setting the cookie correctly from LTM, it should overwrite the pre-existing cookie with the new value. If that's what you want to happen and it's not, I'd try investigating that issue further rather than try to determine which cookie in the request is the "correct" one.

     

     

    With HTTP::cookie, it doesn't seem like there is a simple way to handle two different cookies with the same value. With headers you can use 'HTTP::header values $header_name' to get the values for multiple instances of the same header. It's also worth noting that you can't differentiate between two cookies set with a different path or domain on requests as the client only includes the cookie name and value--not any of the properties that the cookies were set with.

     

     

    Aaron
  • Rami_307440's avatar
    Rami_307440
    Icon for Nimbostratus rankNimbostratus
    Aug 25, 2017

    Hi Aaron, HTTP::cookie insert name < name > value < value >

     

    That will insert a new cookie name and it will not over write the existing one.

     

    ~Rami