Forum Discussion
NimbostratusSecure cookie iRule is not working as expected
We are using below iRule for making all cookie secure, but it is not working as expected. Below is the issue description. Help e in resolving this issue.
iRule:
when HTTP_RESPONSE {
set cookies [HTTP::cookie names]
Loop through each cookie by name in request
foreach aCookie $cookies {
Replace cookie name from list and set Secure Flag to Enable
log local0. "$aCookie, [HTTP::cookie value $aCookie]"
HTTP::cookie secure $aCookie enable
}
}
Issue description:
Below is the snippet of one of the set-cookie response.
Cookie sent by IIS server:
Set-Cookie USEREXIST=OMMONFRE; Expires=Sat, 18-May-2013 14:35:03 GMT; Path=/sso_admin; HttpOnly
Cookie after iRule execution:
USEREXIST=OMMONFRE;secure; Expires=Sat,;secure; 18-May-2013 14:35:03;secure; GMT;Secure; Path=/sso_admin; HttpOnly
Logs show that a single set-cookie is being interpreted as multiple set-cookie.
LT Logs:
May 13 09:15:21 tmm info tmm[6840]: Rule /Common/ir_securecookie_log : JSESSIONID, OLbwbxawwZJZVz85YLW+Ng__
May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : USEREXIST, OMMONFRE
May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : Expires, Sat,
May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : GMT,
May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : 18-May-2013, 14:03:16
Thanks,
Vivek.
6 Replies
- Kevin_Stewart
Employee
Which TMOS version are you running. I haven't found anything specific to this issue, but assuming it's a bug, I tested your iRule on 11.3 and it produced the correct results. 
vivek_76299The version of LTM we are using is "BIG-IP 11.1.0 Build 2027.0 Hotfix HF2".
I have observed that for some cookies it is working fine and for some it fails. Below are some examples.
Successful for below cookie:
Set-Cookie
Failure for below cookies:
Set-Cookie
Set-Cookie
Let me know if any other information is required.
Thanks,
Vivek.
- Kevin_StewartWell, that certainly looks like a bug, as it doesn't appear to affect other versions. I'd recommend opening a case with support. There are workarounds of course, but nothing as clean as what you're already doing.
pallocca_73085We ran into this same issue with 11.3 Engineering Hotfix HF5
At this point we just had to disable the secure cookie logic on the LTM and hope the apps set it
cookie coming from the server:
senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; Expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure
after running through the irule logic
senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w;Secure; Path=/; Expires=Tue, 18 Jun;secure; 2013 21:32:02;secure; GMT; HttpOnly; Secure
will be opening a case.- nitassWe ran into this same issue with 11.3 Engineering Hotfix HF5 can you change "Expires" to lower letters on your server? if not, can you try something like this?
e.g.root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.20.16:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } rules { myrule } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when HTTP_RESPONSE priority 100 { set setck [HTTP::header values "Set-Cookie"] HTTP::header remove "Set-Cookie" foreach item $setck { HTTP::header insert "Set-Cookie" "[string map {Expires expires} $item]" } } when HTTP_RESPONSE { set cookies [HTTP::cookie names] Loop through each cookie by name in request foreach aCookie $cookies { Replace cookie name from list and set Secure Flag to Enable log local0. "$aCookie, [HTTP::cookie value $aCookie]" HTTP::cookie secure $aCookie enable } } } server response (not passing through bigip) [root@ve11a:Active:Changes Pending] config curl -I http://200.200.200.101 HTTP/1.1 200 OK Date: Thu, 20 Jun 2013 03:59:45 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Thu, 23 May 2013 00:28:46 GMT ETag: "4185a8-59-c3efab80" Accept-Ranges: bytes Content-Length: 89 Set-Cookie: foo=1234; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly Set-Cookie: senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; Expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure Connection: close Content-Type: text/html; charset=UTF-8 response (passing through bigip) [root@ve11a:Active:Changes Pending] config curl -I http://172.28.20.16 HTTP/1.1 200 OK Date: Thu, 20 Jun 2013 03:59:49 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Thu, 23 May 2013 00:28:46 GMT ETag: "4185a8-59-c3efab80" Accept-Ranges: bytes Content-Length: 89 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: foo=1234;Secure; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly Set-Cookie: senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure - nitass
this is side affect of ID386763 (credited to KC).
Bug 386763 - HTTP::cookie remove does not remove whole cookie
