cancel
Showing results for 
Search instead for 
Did you mean: 

Can't identify cookie

stupid48
Altocumulus
Altocumulus

So, I'm running the "ultimate iRule debug" trying to figure out who is setting a cookie.  It's a cookie that we think shouldn't be coming from the pool member.  The reason we say that is when we test with a working connection (ie authenticated), that cookie never gets set.  Specifically, in the debug, we don't see in in the "http_response" but see it in the "http_response_release":

<HTTP_RESPONSE>: ----------- http_response -----------
<HTTP_RESPONSE>: uid: db9aebfa8 - status: 200
<HTTP_RESPONSE>: uid: db9aebfa8 - pool member IP: /Common/Prod.app/Prod_pool 10.xxx.xxx.xxx 4443
<HTTP_RESPONSE>: uid: db9aebfa8 - Date: Wed, 27 Jul 2022 15:44:05 GMT
<HTTP_RESPONSE>: uid: db9aebfa8 - Server:
<HTTP_RESPONSE>: uid: db9aebfa8 - Last-Modified: Sun, 27 Mar 2022 14:31:19 GMT
<HTTP_RESPONSE>: uid: db9aebfa8 - ETag: "4c5-5db340c8e7bc0"
<HTTP_RESPONSE>: uid: db9aebfa8 - Accept-Ranges: bytes
<HTTP_RESPONSE>: uid: db9aebfa8 - Content-Length: 1221
<HTTP_RESPONSE>: uid: db9aebfa8 - X-Frame-Options: SAMEORIGIN
<HTTP_RESPONSE>: uid: db9aebfa8 - X-Content-Type-Options: nosniff
<HTTP_RESPONSE>: uid: db9aebfa8 - Keep-Alive: timeout=15
<HTTP_RESPONSE>: uid: db9aebfa8 - Connection: Keep-Alive
<HTTP_RESPONSE>: uid: db9aebfa8 - Content-Type: text/html
<HTTP_RESPONSE>: uid: db9aebfa8 - Content-Language: en
<HTTP_RESPONSE>: uid: db9aebfa8 - Set-Cookie: cosmos=1795096330.23313.0000; path=/; Httponly; Secure
<HTTP_RESPONSE>: ----------- http_response -----------
<HTTP_RESPONSE>:
<HTTP_RESPONSE_DATA>: ----------- http_response_payload -----------
<HTTP_RESPONSE_DATA>: uid: db9aebfa8 - Response (Body) payload: <!-- dbdrv: none --> <!-- appdet.html --> <html> <HEAD> <TITLE>Home Page Redirect</TITLE> <META http-equiv=REFRESH content="1; URL=https://xx"> </HEAD> <body> <DIV ID="content">
<HTTP_RESPONSE_DATA>: ----------- http_response_payload -----------
<HTTP_RESPONSE_DATA>:
<HTTP_RESPONSE_RELEASE>: ----------- http_response_release -----------
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - status: 200
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - pool member IP: /Common/Prod.app/Prod_pool 10.xxx.xxx.xxx 4443
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Date: Wed, 27 Jul 2022 15:44:05 GMT
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Last-Modified: Sun, 27 Mar 2022 14:31:19 GMT
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - ETag: "4c5-5db340c8e7bc0"
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Accept-Ranges: bytes
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Content-Length: 1221
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - X-Frame-Options: SAMEORIGIN
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - X-Content-Type-Options: nosniff
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Keep-Alive: timeout=15
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Connection: Keep-Alive
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Content-Type: text/html
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Content-Language: en
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Set-Cookie: TS011b84d2=016cf3c73c8f3d3632c2783e0a6b27af43cf9a592e6129af3e0094acb85d88f58b02e11b8e2eb6d5ab7441d929cb436e1013ea5426b3043afc175bdc1f95d285a3e1faa534; Path=/
<HTTP_RESPONSE_RELEASE>: uid: db9aebfa8 - Set-Cookie: TS011b84d2=016cf3c73c8f3d3632c2783e0a6b27af43cf9a592e6129af3e0094acb85d88f58b02e11b8e2eb6d5ab7441d929cb436e1013ea5426b3043afc175bdc1f95d285a3e1faa534; Path=/
<HTTP_RESPONSE_RELEASE>: ----------- http_response_release -----------

The cookie I am referring to is: TS011b84d2

My question is, why does the cookie show up only in the http_response_release?  Wouldn't it show up in the http_response as well if it was being set by the pool member?  To me it almost seems like the LTM is setting the cookie.

1 ACCEPTED SOLUTION

JRahm
Community Manager
Community Manager

TS cookies come from ASM/AdvWAF. That uses the plugin architecture, which grabs responses early on the server side, bypasses much of the normal hud chain on the proxy path, and releases them late on the client side, which is why they are masked until HTTP_RESPONSE_RELEASE. Here are details on the ASM cookies: https://support.f5.com/csp/article/K54501322

View solution in original post

3 REPLIES 3

JRahm
Community Manager
Community Manager

TS cookies come from ASM/AdvWAF. That uses the plugin architecture, which grabs responses early on the server side, bypasses much of the normal hud chain on the proxy path, and releases them late on the client side, which is why they are masked until HTTP_RESPONSE_RELEASE. Here are details on the ASM cookies: https://support.f5.com/csp/article/K54501322

Oh my.  Thanks so much.

JRahm
Community Manager
Community Manager