For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Dietmar_Moltner's avatar
Dietmar_Moltner
Icon for Nimbostratus rankNimbostratus
Feb 23, 2015

TCL error on iRule-based logout logic

Dear all,

I am facing a very strange exception in one our iRules which is dealing with generic logout on our virtuals

The iRule:

when RULE_INIT {
set static::LOGOUT_URI                  "/logout"
set static::LOGOUT_COOKIE_EXCLUDE       {"BIGip_SSO_"}

}

when HTTP_REQUEST {

if {[HTTP::uri] starts_with $static::LOGOUT_URI} {
    set cookieResponse "Connection Close "
     Iterate over all cookies
    foreach cookieName [HTTP::cookie names] {
        if {$cookieName ne ""}  {
            foreach excludeCookieName $static::LOGOUT_COOKIE_EXCLUDE {
                if {$cookieName starts_with $excludeCookieName} {
                } else  {   
                    set cookieValue [HTTP::cookie $cookieName]
                    if {$cookieValue ne ""} {
                        set cookieResponse "$cookieResponse\"Set-Cookie\" \"[call /Common/RBUTIL::get_expired_cookiestring $cookieName]\" "
                        set cookieResponse "$cookieResponse\"Set-Cookie\" \"[call /Common/RBUTIL::get_expired_cookiestring $cookieName [HTTP::host] 0]\" "
                        set cookieResponse "$cookieResponse\"Set-Cookie\" \"[call /Common/RBUTIL::get_expired_cookiestring $cookieName 0 0]\" "
                        set cookieResponse "$cookieResponse\"Set-Cookie\" \"[call /Common/RBUTIL::get_expired_cookiestring $cookieName 0]\" "
                    }   
                }   
            }   
        }   
    } 
    if { $debugLevel > 1} { log local0.debug "$logPrefix Cookie logout sequence: $cookieResponse" }
    eval HTTP::respond 200 $cookieResponse
    unset cookieResponse
    return
}

}

In most cases the iRule completes without any issues, but sometimes I receive the following error in ltm log:

Illegal argument. Missing argument (line 1)     invoked from within "HTTP::cookie $cookieName"     ("foreach" body line 4)     invoked from within "foreach excludeCookieName $static::LOGOUT_COOKIE_EXCLUDE {                  if {$cookieName starts_with $excludeCookieName} {                   } else  {                           set cookieVa..."     ("foreach" body line 3)     invoked from within "foreach cookieName [HTTP::cookie names] {             if {$cookieName ne ""}  {               foreach excludeCookieName $static::LOGOUT_COOKIE_EXCLUDE {                  if {$cook..."

Any ideas on that? Thx

application delivery
BIG-IP Access Policy Manager (APM)
devops
iRules
LTM
security

6 Replies

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Feb 23, 2015

    One thing you could do is try to use the catch (or here) statement to trap an error there and then log what name is in the variable. My guess is that the 

    cookieName
    variable is empty. You could also add a test on the value (i.e. 
    if {$cookieName starts_with $excludeCookieName || $cookieName equals ""} {
    ) and see if that helps. You could also try adding some extra logging as well to see if maybe there are no cookies being passed.

    Just some thoughts. Hope it helps.

  • StephanManthey's avatar
    StephanManthey
    Icon for Nacreous rankNacreous
    Feb 24, 2015

    Hi Dietmar,

    I´m not sure, what this line is good for as it will be a single value only: 
    foreach excludeCookieName $static::LOGOUT_COOKIE_EXCLUDE {

    Removed the section: 

    when RULE_INIT {
    set static::LOGOUT_URI                  "/logout"
    set static::LOGOUT_COOKIE_EXCLUDE       {"BIGip_SSO_"}
}

when HTTP_REQUEST {

if {[HTTP::uri] starts_with $static::LOGOUT_URI} {
    set cookieResponse "Connection Close "
     Iterate over all cookies
    foreach cookieName [HTTP::cookie names] {
        if { $cookieName ne $static::LOGOUT_COOKIE_EXCLUDE }  {
            if { [HTTP::cookie $cookieName] ne "" } {
                set cookieResponse "$cookieResponse\"Set-Cookie\" \"[call /Common/RBUTIL::get_expired_cookiestring $cookieName]\" "
                set cookieResponse "$cookieResponse\"Set-Cookie\" \"[call /Common/RBUTIL::get_expired_cookiestring $cookieName [HTTP::host] 0]\" "
                set cookieResponse "$cookieResponse\"Set-Cookie\" \"[call /Common/RBUTIL::get_expired_cookiestring $cookieName 0 0]\" "
                set cookieResponse "$cookieResponse\"Set-Cookie\" \"[call /Common/RBUTIL::get_expired_cookiestring $cookieName 0]\" "
            }   
        }   
    } 
    if { $debugLevel > 1} { log local0.debug "$logPrefix Cookie logout sequence: $cookieResponse" }
    eval HTTP::respond 200 $cookieResponse
    unset cookieResponse
    return
}   
}

    Perhaps a slightly reduced version solves the issue?

    Thanks, Stephan
  • Dietmar_Moltner's avatar
    Dietmar_Moltner
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2015

    True in this case, point was to use a list for static::LOGOUT_COOKIE_EXCLUDE which would not work with the reduced version you proposed (at least I think it would be like that)

     

    Thx

     

    • StephanManthey's avatar
      StephanManthey
      Icon for Nacreous rankNacreous
      Feb 24, 2015
      You can test with "if { [info exists cookieName] }" before executing the following commands. Adding a log statement may help to troubleshoot the issue as well: log local0. "cookie found: <$cookie_name>, value: <[HTTP::cookie value $cookieName]>"
  • Dietmar_Moltner's avatar
    Dietmar_Moltner
    Icon for Nimbostratus rankNimbostratus
    Feb 24, 2015

    Yes, I can also add this check, good point. There are already many log statements I removed for better readability. The strange thing is that the error only occurs occasionally in our HA Production setup, on our standalone Development appliance the error can be reproduced