Rewriting cookies

Question

Hey Guys,
&nbsp;I am working on an irule to rewrite cookies on a site with httponly and secure flags set but getting an error on the http only flag sometimes. The rule is below...and this is v11.1&nbsp;
&nbsp;when HTTP_RESPONSE {  
&nbsp;  set cookie_names [HTTP::cookie names]
&nbsp; if { $cookie_names ne "" } {     
&nbsp;   foreach cookie $cookie_names {  
&nbsp;                                   HTTP::cookie httponly $cookie enable
&nbsp;                                    HTTP::cookie secure $cookie enable
&nbsp;                                    log local0. "The cookie $cookie was found and attributes modified."
&nbsp;                             }
&nbsp;}&nbsp;&nbsp;&nbsp;&nbsp;
&nbsp;The error I am seeing in the logs is here...&nbsp;
&nbsp;TCL error: /Common/cookie_rewrite  - Improper version (line 4)     invoked from within "HTTP::cookie httponly $cookie enable"     ("foreach" body line 2)     invoked from within "foreach cookie $cookie_names {                               HTTP::cookie httponly $cookie enable                            HTTP::cookie secure $cookie enable                                      ..."&nbsp;&nbsp;&nbsp;
&nbsp;When I comment out the HTTP::cookie httponly $cookie enable line everything works fine and I succesfully rewrite the secure attr.&nbsp;
&nbsp;Any ideas?

nitass · Answer

i got the same error. anyway, may we try something like this? 
  
 root@ve1100(Active)(/Common)(tmos) show sys version

Sys::Version
Main Package
  Product  BIG-IP
  Version  11.1.0
  Build    1943.0
  Edition  Final
  Date     Sun Nov 20 18:27:50 PST 2011

root@ve1100(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.19.252:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    snat automap
    vlans-disabled
}
root@ve1100(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@ve1100(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when HTTP_RESPONSE {
   set cookie_names [HTTP::cookie names]

if { $cookie_names ne "" } {
      foreach cookie $cookie_names {
         set cookie_value [HTTP::cookie $cookie]
                 HTTP::cookie remove $cookie
         HTTP::cookie insert name $cookie value $cookie_value path / version 1
         HTTP::cookie httponly $cookie enable
         HTTP::cookie secure $cookie enable
      }
   }
}
}

[root@ve1100:Active] config  curl -I http://200.200.200.101
HTTP/1.1 200 OK
Date: Sat, 04 Feb 2012 01:05:07 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Set-Cookie: AAA=1111; path=/
Set-Cookie: BBB=2222; path=/
Set-Cookie: CCC=1234; path=/
Content-Type: text/html; charset=UTF-8

[root@ve1100:Active] config  curl -I http://172.28.19.252
HTTP/1.1 200 OK
Date: Sat, 04 Feb 2012 01:05:14 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Content-Type: text/html; charset=UTF-8
Set-Cookie: AAA=1111;Secure;HttpOnly;Path=/;Version=1;
Set-Cookie: BBB=2222;Secure;HttpOnly;Path=/;Version=1;
Set-Cookie: CCC=1234;Secure;HttpOnly;Path=/;Version=1;

matthew_heathwa · Answer

I have just encountered exactly the same 'Improper version ' issue with httponly.&nbsp;
&nbsp;This is using BIG-IP 11.1.0 HF2, and it appears the issue is with Cookie Version.
&nbsp;For testing reasons, I am attempting to apply the httponly attribute to a persistence cookie (where one can presumably not control the version?).&nbsp;

nitass · Answer

doesn't the irule above still work?? 
  
 root@ve1110(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.19.252:80
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        cookie {
            default yes
        }
    }
    pool foo
    profiles {
        http { }
        tcp { }
    }
    snat automap
    vlans-disabled
}

[root@ve1110:Active] config  curl -I http://172.28.19.252
HTTP/1.1 200 OK
Date: Thu, 19 Apr 2012 03:04:31 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServerfoo=1707657416.20480.0000; path=/

root@ve1110(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when HTTP_RESPONSE {
   set cookie_names [HTTP::cookie names]

if { $cookie_names ne "" } {
      foreach cookie $cookie_names {
         set cookie_value [HTTP::cookie $cookie]
            HTTP::cookie remove $cookie
         HTTP::cookie insert name $cookie value $cookie_value path / version 1
         HTTP::cookie httponly $cookie enable
         HTTP::cookie secure $cookie enable
      }
   }
}
}

root@ve1110(Active)(/Common)(tmos) modify ltm virtual bar rules { myrule }
root@ve1110(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.19.252:80
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        cookie {
            default yes
        }
    }
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    snat automap
    vlans-disabled
}
root@ve1110(Active)(/Common)(tmos) quit

[root@ve1110:Active] config  curl -I http://172.28.19.252
HTTP/1.1 200 OK
Date: Thu, 19 Apr 2012 03:05:06 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServerfoo=1707657416.20480.0000;Secure;HttpOnly;Path=/;Version=1;

Forum Discussion

Rewriting cookies

3 Replies

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

Related Content

Rewriting Redirects

Cookie-based DDoS protection

Rewriting iRules...LIVE!

2. SYN Cookie: Operation

Encrypting Cookies