Forum Discussion

Steve_Brown_882's avatar
Steve_Brown_882
Historic F5 Account
Feb 03, 2012

Rewriting cookies

Hey Guys,

 

I am working on an irule to rewrite cookies on a site with httponly and secure flags set but getting an error on the http only flag sometimes. The rule is below...and this is v11.1

 

 

when HTTP_RESPONSE {

 

set cookie_names [HTTP::cookie names]

 

if { $cookie_names ne "" } {

 

foreach cookie $cookie_names {

 

HTTP::cookie httponly $cookie enable

 

HTTP::cookie secure $cookie enable

 

log local0. "The cookie $cookie was found and attributes modified."

 

}

 

}

 

 

 

 

 

The error I am seeing in the logs is here...

 

 

TCL error: /Common/cookie_rewrite - Improper version (line 4) invoked from within "HTTP::cookie httponly $cookie enable" ("foreach" body line 2) invoked from within "foreach cookie $cookie_names { HTTP::cookie httponly $cookie enable HTTP::cookie secure $cookie enable ..."

 

 

 

 

When I comment out the HTTP::cookie httponly $cookie enable line everything works fine and I succesfully rewrite the secure attr.

 

 

Any ideas?
application delivery
dev
devops
iRules
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Feb 04, 2012
    i got the same error. anyway, may we try something like this? 

    root@ve1100(Active)(/Common)(tmos) show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.1.0
  Build    1943.0
  Edition  Final
  Date     Sun Nov 20 18:27:50 PST 2011

root@ve1100(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.19.252:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    snat automap
    vlans-disabled
}
root@ve1100(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@ve1100(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when HTTP_RESPONSE {
   set cookie_names [HTTP::cookie names]

   if { $cookie_names ne "" } {
      foreach cookie $cookie_names {
         set cookie_value [HTTP::cookie $cookie]
                 HTTP::cookie remove $cookie
         HTTP::cookie insert name $cookie value $cookie_value path / version 1
         HTTP::cookie httponly $cookie enable
         HTTP::cookie secure $cookie enable
      }
   }
}
}

[root@ve1100:Active] config  curl -I http://200.200.200.101
HTTP/1.1 200 OK
Date: Sat, 04 Feb 2012 01:05:07 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Set-Cookie: AAA=1111; path=/
Set-Cookie: BBB=2222; path=/
Set-Cookie: CCC=1234; path=/
Content-Type: text/html; charset=UTF-8

[root@ve1100:Active] config  curl -I http://172.28.19.252
HTTP/1.1 200 OK
Date: Sat, 04 Feb 2012 01:05:14 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Content-Type: text/html; charset=UTF-8
Set-Cookie: AAA=1111;Secure;HttpOnly;Path=/;Version=1;
Set-Cookie: BBB=2222;Secure;HttpOnly;Path=/;Version=1;
Set-Cookie: CCC=1234;Secure;HttpOnly;Path=/;Version=1;
  • Matthew_Heathwa's avatar
    Matthew_Heathwa
    Icon for Nimbostratus rankNimbostratus
    Apr 17, 2012
    I have just encountered exactly the same 'Improper version ' issue with httponly.

     

     

    This is using BIG-IP 11.1.0 HF2, and it appears the issue is with Cookie Version.

     

    For testing reasons, I am attempting to apply the httponly attribute to a persistence cookie (where one can presumably not control the version?).

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Apr 19, 2012
    doesn't the irule above still work?? 

    root@ve1110(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.19.252:80
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        cookie {
            default yes
        }
    }
    pool foo
    profiles {
        http { }
        tcp { }
    }
    snat automap
    vlans-disabled
}

[root@ve1110:Active] config  curl -I http://172.28.19.252
HTTP/1.1 200 OK
Date: Thu, 19 Apr 2012 03:04:31 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServerfoo=1707657416.20480.0000; path=/

root@ve1110(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when HTTP_RESPONSE {
   set cookie_names [HTTP::cookie names]

   if { $cookie_names ne "" } {
      foreach cookie $cookie_names {
         set cookie_value [HTTP::cookie $cookie]
            HTTP::cookie remove $cookie
         HTTP::cookie insert name $cookie value $cookie_value path / version 1
         HTTP::cookie httponly $cookie enable
         HTTP::cookie secure $cookie enable
      }
   }
}
}

root@ve1110(Active)(/Common)(tmos) modify ltm virtual bar rules { myrule }
root@ve1110(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.19.252:80
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        cookie {
            default yes
        }
    }
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    snat automap
    vlans-disabled
}
root@ve1110(Active)(/Common)(tmos) quit

[root@ve1110:Active] config  curl -I http://172.28.19.252
HTTP/1.1 200 OK
Date: Thu, 19 Apr 2012 03:05:06 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServerfoo=1707657416.20480.0000;Secure;HttpOnly;Path=/;Version=1;