Forum Discussion
mr_skater99_640
Nimbostratus
NimbostratusStripping Cookies
We have an off the shelf product that sets to many cookies and cookies on all domains configured in the product (these aren't needed). We're trying to tidy some of this up and we've got some of it working,
when HTTP_RESPONSE {
if { [HTTP::header "server"] equals "blah" } {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
if {[string tolower $aCookie] equals "offending_cookie"} {
HTTP::cookie remove $aCookie
}
}
}
}
This strips all "offending_cookie". What we need to do now is strip cookies that are for anything other than the domain the request was made on.
I tried the following to see if i could remove a cookie with an offending domain (my intention was once this was working to then make it dynamic to pick up the domain the request was made on and go that way).
when HTTP_RESPONSE {
if { [HTTP::header "server"] equals "blah" } {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
set cookieDomain [HTTP::cookie domain $aCookie]
if {[string tolower $aCookie] equals "offending_cookie"} {
HTTP::cookie remove $aCookie
} elseif {$cookieDomain contains ".bad.domain.com"} {
HTTP::cookie remove $aCookie
}
}
}
}
But this doesn't work - any pointers????
Cheers.
12 Replies
hoolioCirrostratus
The rule looks like it should work. Can you try this version with debug logging to see what's being matched for each cookie?when HTTP_RESPONSE { if { [HTTP::header "server"] equals "blah" } { log local0. "Checking cookies: [HTTP::cookie names]" foreach aCookie [HTTP::cookie names] { log local0. "Checking cookie: $aCookie, with domain: [HTTP::cookie domain $aCookie]" if {[string tolower $aCookie] equals "offending_cookie"} { log local0. "Removing cookie: $aCookie in name check" HTTP::cookie remove $aCookie } elseif {[HTTP::cookie domain $aCookie] contains ".bad.domain.com"} { log local0. "Removing cookie: $aCookie in domain check" HTTP::cookie remove $aCookie } } } }
Once you're done testing, you can comment out or remove the debug logging.
Aaron
mr_skater99_640Hey Hoolio,
Thanks very much for your reply - i had to wait until we got a Virtual BigIp up before i could do any real testing...
This is the rule i put in:when HTTP_RESPONSE { if { [HTTP::header "server"] equals "daui" } { foreach aCookie [HTTP::cookie names] { if {[string tolower $aCookie] equals "amlbcookie"} { HTTP::cookie remove $aCookie } elseif {[HTTP::cookie domain $aCookie] contains ".exttest.lab"} { HTTP::cookie remove $aCookie } elseif {[HTTP::cookie domain $aCookie] contains ".xint.xcorp.xsun"} { HTTP::cookie remove $aCookie } } } }
Here's what the logs show:Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookies: JSESSIONID amlbcookie amlbcookie amlbcookie amlbcookie AMDistAuthCookie AMDistAuthCookie AMDistAuthCookie AMDistAuthCookie amlbcookie amlbcookie amlbcookie amlbcookie BIGipServerpool-amdaui Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: JSESSIONID, with domain: Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .gio.com.au Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .exttest.lab Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .vero.apps.anznb.co.nz Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .xint.xcorp.xsun Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: AMDistAuthCookie, with domain: .gio.com.au Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: AMDistAuthCookie, with domain: .gio.com.au Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: AMDistAuthCookie, with domain: .gio.com.au Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: AMDistAuthCookie, with domain: .gio.com.au Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .gio.com.au Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .exttest.lab Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .vero.apps.anznb.co.nz Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .xint.xcorp.xsun Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: BIGipServerpool-amdaui, with domain: Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookies: Wed Mar 24 13:44:01 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookies:
So the amlbcookie dissappears no worries - the problem is this;
The F5 shows 4 AMDistAuthCookie's with the domain as .gio.com.au and so doesn;t drop them, yet in the browser i see:Set-CookieAMDistAuthCookie=http://samru3.exttest.lab:80/distAuth/UI/Login; Domain=.gio.com.au; Path=/ Set-CookieAMDistAuthCookie=http://samru3.exttest.lab:80/distAuth/UI/Login; Domain=.exttest.lab; Path=/ Set-CookieAMDistAuthCookie=http://samru3.exttest.lab:80/distAuth/UI/Login; Domain=.vero.apps.anznb.co.nz; Path=/ Set-CookieAMDistAuthCookie=http://samru3.exttest.lab:80/distAuth/UI/Login; Domain=.xint.xcorp.xsun; Path=/
Any ideas????- hoolioI'd guess the issue is with handling multiple instances of the same cookie names with the HTTP::cookie domain command. Short of saving the cookie values and then removing each cookie one by one, I'm not sure how you could handle this.
Maybe F5 Support would have ideas on this?
Aaron 
Craig_Jackson_2I used this code to strip a cookie that was causing us problems, and I encountered a problem with the code.
The problem occurred when we received a cookie whose name included a quote. In that case, "foreach a_cookie [HTTP::cookie names]" produced errors something like these:
list element in quotes followed by "customerSurvey":"NA"" instead of space
list element in quotes followed by ":" instead of space
unmatched open quote in list
Unfortunately, it doesn't log the offending list element or list, but I think one of the cookie names was something like '"foo":'. (foo in quotes, with a colon after the close quote.
As best as I can tell, quotes aren't legal in cookie names, which obey the rule for HTTP tokens. However, that doesn't mean that they can't occur in a Cookie: header. I created them myself using Fiddlerscript.
However, I'm really not quite sure why the list is being scanned for syntax in the line "foreach a_cookie [HTTP::cookie names]". It seems like [HTTP::cookie names] would be treated as a single syntactic item and would not be further expanded.
Is this an F5 bug?- hoolioHi Craig,
I think this is a bug in the app or client that is using a double quote in the cookie name :). Can you try stripping out the double quotes before using the value in foreach?
foreach a_cookie [string map [list {"} {}] [HTTP::cookie names]
and then remove the double quotes from your comparisons?
Aaron - nitass
Employee
just wondering if quote really causes a problem. also, if quote is interpreted, how can we get cookie value of the cookie name which has quote e.g. foo.[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 rules myrule profiles { http {} tcp {} } } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } [root@ve10:Active] config b rule myrule list rule myrule { when HTTP_RESPONSE { log local0. "\[HTTP::cookie names\]: [HTTP::cookie names]" foreach a_cookie [HTTP::cookie names] { log local0. "\$a_cookie: $a_cookie=[HTTP::cookie $a_cookie] (\$a_cookie=\[HTTP::cookie $a_cookie\])" } } } on client [root@centos11 ~] curl -I http://172.28.19.79 HTTP/1.1 200 OK Date: Fri, 26 Oct 2012 08:00:42 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT ETag: "4183e4-3e-9c564780" Accept-Ranges: bytes Content-Length: 62 Set-Cookie: "foo"=123456; path=/ Set-Cookie: bar=abcdef; path=/ Connection: close Content-Type: text/html; charset=UTF-8 log on bigip [root@ve10:Active] config tail -f /var/log/ltm Oct 26 15:43:18 local/tmm info tmm[7926]: Rule myrule : [HTTP::cookie names]: "foo" bar Oct 26 15:43:18 local/tmm info tmm[7926]: Rule myrule : $a_cookie: foo= ($a_cookie=[HTTP::cookie foo]) Oct 26 15:43:18 local/tmm info tmm[7926]: Rule myrule : $a_cookie: bar=abcdef ($a_cookie=[HTTP::cookie bar])
Robert_47833Altostratus
not double quotes. but more than double quotes try this: "test"xyz or "test"p"xyz" or “test”xyz" ,then u will see the error- Robert_47833by the way:single quote is another error:)
nitass_89166Noctilucent
just wondering if quote really causes a problem. also, if quote is interpreted, how can we get cookie value of the cookie name which has quote e.g. foo.[root@ve10:Active] config b virtual bar list virtual bar { snat automap pool foo destination 172.28.19.79:80 ip protocol 6 rules myrule profiles { http {} tcp {} } } [root@ve10:Active] config b pool foo list pool foo { members 200.200.200.101:80 {} } [root@ve10:Active] config b rule myrule list rule myrule { when HTTP_RESPONSE { log local0. "\[HTTP::cookie names\]: [HTTP::cookie names]" foreach a_cookie [HTTP::cookie names] { log local0. "\$a_cookie: $a_cookie=[HTTP::cookie $a_cookie] (\$a_cookie=\[HTTP::cookie $a_cookie\])" } } } on client [root@centos11 ~] curl -I http://172.28.19.79 HTTP/1.1 200 OK Date: Fri, 26 Oct 2012 08:00:42 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT ETag: "4183e4-3e-9c564780" Accept-Ranges: bytes Content-Length: 62 Set-Cookie: "foo"=123456; path=/ Set-Cookie: bar=abcdef; path=/ Connection: close Content-Type: text/html; charset=UTF-8 log on bigip [root@ve10:Active] config tail -f /var/log/ltm Oct 26 15:43:18 local/tmm info tmm[7926]: Rule myrule : [HTTP::cookie names]: "foo" bar Oct 26 15:43:18 local/tmm info tmm[7926]: Rule myrule : $a_cookie: foo= ($a_cookie=[HTTP::cookie foo]) Oct 26 15:43:18 local/tmm info tmm[7926]: Rule myrule : $a_cookie: bar=abcdef ($a_cookie=[HTTP::cookie bar])- Robert_47833not double quotes. but more than double quotes try this: "test"xyz or "test"p"xyz" or “test”xyz" ,then u will see the error
- Robert_47833by the way:single quote is another error:)
- Craig_Jackson_2I did end up using regsub to strip the quotes from the string returned by [HTTP::cookie names] before using it as a list.
The difference between my test and yours is that my cookie name had text after the quote. I tested with
Cookie: "foo":=bar
However, it seems like the list may be being interpreted one too many times. Maybe I'm misunderstanding Tcl, but I think the results of a list command should be able to be used as a list even though the list has invalid members.
Whether or not that's a valid cookie name is irrelevant. We need to anticipate that invalid things will be transmitted from clients.
Note that I don't know exactly what the invalid list entry is, nor the client IP, because neither is being logged. I know I could probably find both pieces of information using catch, but I really don't want to release debugging code on a production box. :-)
