For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Yozzer's avatar
Yozzer
Icon for Nimbostratus rankNimbostratus
Mar 17, 2012

sub domain session cookies

Just a bit of background on what i hope an irule can help me to achieve.

 

 

I want to send SAML tokens to a sub domain and the resulting session cookie that’s returned from a successful login needs to appear to be from the domain not the sub domain. Is this possible? Both domains will be able to access the same DB so the session cookie set from the sub domain can be read by the host domain.

 

 

As an example, host.com is the site that i want to login to. To login i need to send SAML tokens to a sub domain called sso.host.com. This sub domain will then process the SAML token and return a session cookie. Can i use an irule to set the returned session cookie for the host domain (host.com) instead of from the sub domain (sso.host.com)?

 

 

Thanks

 

application delivery
dev
devops
iRules

6 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 17, 2012
    Hi Yozzer,

     

     

    You can set the domain on a cookie using HTTP::cookie domain in HTTP_RESPONSE:

     

     

    https://devcentral.f5.com/wiki/iRules.http__cookie.ashx

     

     

    Aaron
  • Yozzer's avatar
    Yozzer
    Icon for Nimbostratus rankNimbostratus
    Mar 17, 2012
    Hi

     

     

    I found the following irule on the forum to set all cookies to a different domain (not sub domain):

     

     

    when HTTP_RESPONSE {

     

     

    Loop through each response cookie by name

     

     

    foreach aCookie [HTTP::cookie names] {

     

     

    Set the domain on the cookie to .host

     

     

    HTTP::cookie domain $aCookie ".host.com"

     

     

    }

     

     

    }

     

     

    When i tested it I can see the domain request (domain=.host.com) has been added to the cookies using tamper data:

     

     

    Set-Cookie: Cookie=12345&PrevPageID=1&PrevURL=https://10.1.1.1/login.aspx&SessionNo=0;domain=.host.com; path=/

     

     

    But when i looked at Firefox in the cookie container, it hadnt been set for the 10.1.1.1 address which is what i was expecting however i couldnt see the cookie associated with the new .host.com domain.

     

     

    how do i know if its been set?

     

     

    Thanks

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 17, 2012
    But when i looked at Firefox in the cookie container, it hadnt been set for the 10.1.1.1 address which is what i was expecting however i couldnt see the cookie associated with the new .host.com domain.just wondering if browser allows cross domain cookie.
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Mar 21, 2012
    I'm fairly sure the browser should accept a cookie set for .host.com in response to a request made to subdomain.host.com:

     

     

    http://en.wikipedia.org/wiki/HTTP_cookieDomain_and_Path

     

     

    Are both hosts on the same domain?

     

     

    Aaron