Forum Discussion

vivek_76299's avatar
vivek_76299
Icon for Nimbostratus rankNimbostratus
May 13, 2013

Secure cookie iRule is not working as expected

  We are using below iRule for making all cookie secure, but it is not working as expected. Below is the issue description. Help e in resolving this issue.       iRule:   when HT...
application delivery
dev
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Jun 19, 2013
We ran into this same issue with 11.3 Engineering Hotfix HF5 can you change "Expires" to lower letters on your server? if not, can you try something like this?

e.g. 

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.16:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vlans-disabled
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when HTTP_RESPONSE priority 100 {
  set setck [HTTP::header values "Set-Cookie"]
  HTTP::header remove "Set-Cookie"
  foreach item $setck {
    HTTP::header insert "Set-Cookie" "[string map {Expires expires} $item]"
  }
}
when HTTP_RESPONSE {
  set cookies [HTTP::cookie names]
   Loop through each cookie by name in request
  foreach aCookie $cookies {
     Replace cookie name from list and set Secure Flag to Enable
    log local0. "$aCookie, [HTTP::cookie value $aCookie]"
    HTTP::cookie secure $aCookie enable
  }
}
}

 server response (not passing through bigip)

[root@ve11a:Active:Changes Pending] config  curl -I http://200.200.200.101
HTTP/1.1 200 OK
Date: Thu, 20 Jun 2013 03:59:45 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Set-Cookie: foo=1234; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly
Set-Cookie: senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; Expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure
Connection: close
Content-Type: text/html; charset=UTF-8

 response (passing through bigip)

[root@ve11a:Active:Changes Pending] config  curl -I http://172.28.20.16
HTTP/1.1 200 OK
Date: Thu, 20 Jun 2013 03:59:49 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: foo=1234;Secure; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly
Set-Cookie: senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure