Forum Discussion

Brad_Baker's avatar
Mar 10, 2022

Clearing cookies for site with iRule

We believe we have some users with bad cookies on their system. Its not practical to ask all users to delete their cookies so we want to force them to expire with an f5 iRule.

There is an HTTP::cookie remove query but my impression is that removes the cookie either from the request or the response. It doesn't clear the cookie from the users system. Instead it seems like we need to set the expiry on all cookies to a date in the past. 

I am trying to do that with the following iRule with no luck:

 

 

when HTTP_RESPONSE {
    # check to see if the cookie cookie_version2 exists if it doesn't clear the cookies
    # this ensures cookies only get cleared once. 
    if {not [HTTP::cookie exists "cookie_version2"]} {
        log local0. "[IP::client_addr] cookie_version2 does not exist"
            
        set Cookies [HTTP::cookie names]
        foreach Cookie $Cookies {
                log local0. "$Cookie expired"
                HTTP::cookie expires $Cookie 0 absolute
        }
        
        log local0. "ALL COOKIES EXPIRED (x_x)"
        
        #log local0. "Add cookie cookie_version=1 to track if the cookies have been cleared before or not"
        HTTP::cookie insert name "cookie_version2" value "1" path "/"
        HTTP::cookie attribute cookie_version2 value "expires" "Thu, 09-April-2022 00:00:00 GMT"
    } 
}

 

Can anyone help me figure out why this isn't working as expected. My impression is that the client sends all cookies with the request does the server not send all cookies back with the response? Is that why its not working?

I also see references to HTTP::expires only applying to version 0 cookies only in the documentation. But how do I know if my cookies aer version 0,1,2. Do I need to do this differently for other cookie versions?

Thanks,
Brad

8 Replies

  • I found another article which suggests I may need something more like this. What I am struggling with is how to check of the cookie_version2 cookie exists so we don't repeatedly expire all cookies. Any suggestions on how I can do that?

    when HTTP_REQUEST { 
        set request_cookies [HTTP::cookie names] 
    }
    
    when HTTP_RESPONSE {
        foreach a_cookie $request_cookies { 
            log local0. "Remove cookie: $a_cookie" 
            HTTP::header insert Set-Cookie "$a_cookie=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;path=/" 
        } 
     
        log local0. "Add cookie cookie_version=1 to track if the cookies have been cleared before or not"
        HTTP::cookie insert name "cookie_version2" value "1" path "/"
        HTTP::cookie attribute cookie_version2 value "expires" "Thu, 09-April-2022 00:00:00 GMT"
    
        #log local0. "Add dummy cookie to see if cookie deletions is working"
        #HTTP::cookie insert name "dummy_cookie" value "1"  path "/"
        #HTTP::cookie attribute dummy_cookie value "expires" "Thu, 09-April-2022 00:00:00 GMT"
    }

     

  • Seems like this should work but it doesn't 

    when HTTP_REQUEST { 
        # If the cookie_version2 cookie doesn't exist get 
        # a list of cookies to be used in the response
        if {not [HTTP::cookie exists "cookie_version2"]} {
            #log local0. "cookie_version2 exists"
            set request_cookies [HTTP::cookie names] 
        }
    }
    
    when HTTP_RESPONSE {
        # If there is a list of cookies to delete 
        if {[info exists request_cookies]} {
            #log local0. "Iterating through deleting cookies"
                    
            # Iterate thruough them and set the expiry in the past
            foreach a_cookie $request_cookies { 
                #log local0. "Remove cookie: $a_cookie" 
                HTTP::header insert Set-Cookie "$a_cookie=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;path=/" 
            } 
         
            # Set a cookie_version2 cookie so we don't run this again.
            #log local0. "Add cookie cookie_versio2=1 to track if the cookies have been cleared before or not"
            HTTP::cookie insert name "cookie_version2" value "1" path "/"
            HTTP::cookie attribute cookie_version2 value "expires" "Thu, 09-April-2022 00:00:00 GMT"
        
            #log local0. "Add dummy cookie to see if cookie deletions is working"
            HTTP::cookie insert name "dummy_cookie" value "1"  path "/"
            HTTP::cookie attribute dummy_cookie value "expires" "Thu, 09-April-2022 00:00:00 GMT"
        }
    }
    • CA_Valli's avatar
      CA_Valli
      Icon for MVP rankMVP

      Hi, I've achieved a similar thing recently to delete APM cookies and restart session.  I can confirm the only way to delete cookies on client side is forcing them to expire. Try to see if my code snippet helps you. Also, I'm only removing cookies for specific domain since that was what I needed for my environment, use browser tools to determine whether you need this or not. 

       

      when HTTP_REQUEST {
          set refererfound 0
      
          if {[string tolower [HTTP::header value Referer]] eq "<censored>"}{
              set refererfound 1
              HTTP::header replace Referer ""
              set reqcookies [HTTP::cookie names]
              foreach cookie $reqcookies {
                  HTTP::cookie remove $cookie
              }
          }
      }
      
      when HTTP_RESPONSE_RELEASE { 
          if {$refererfound eq 1}{
          foreach acookie $reqcookies {
              HTTP::header insert Set-Cookie "$acookie=deleted; domain=<censored>; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/"          
          }
          }
      }

       

      • David_M's avatar
        David_M
        Icon for Cirrostratus rankCirrostratus

        hey, I'm trying something similar, so if I want to do it for just 1 domain do I just replace your if condition to match the HTTP host? The domain is simple like example.com 

            if {[string tolower [HTTP::header value Referer]] eq "<censored>"}{ #replace with HTTP host instead of referer here? Will that work?