cancel
Showing results for 
Search instead for 
Did you mean: 

Clearing cookies for site with iRule

Brad_Baker
Nimbostratus
Nimbostratus

We believe we have some users with bad cookies on their system. Its not practical to ask all users to delete their cookies so we want to force them to expire with an f5 iRule.

There is an HTTP::cookie remove query but my impression is that removes the cookie either from the request or the response. It doesn't clear the cookie from the users system. Instead it seems like we need to set the expiry on all cookies to a date in the past. 

I am trying to do that with the following iRule with no luck:

 

 

when HTTP_RESPONSE {
    # check to see if the cookie cookie_version2 exists if it doesn't clear the cookies
    # this ensures cookies only get cleared once. 
    if {not [HTTP::cookie exists "cookie_version2"]} {
        log local0. "[IP::client_addr] cookie_version2 does not exist"
            
        set Cookies [HTTP::cookie names]
        foreach Cookie $Cookies {
                log local0. "$Cookie expired"
                HTTP::cookie expires $Cookie 0 absolute
        }
        
        log local0. "ALL COOKIES EXPIRED (x_x)"
        
        #log local0. "Add cookie cookie_version=1 to track if the cookies have been cleared before or not"
        HTTP::cookie insert name "cookie_version2" value "1" path "/"
        HTTP::cookie attribute cookie_version2 value "expires" "Thu, 09-April-2022 00:00:00 GMT"
    } 
}

 

Can anyone help me figure out why this isn't working as expected. My impression is that the client sends all cookies with the request does the server not send all cookies back with the response? Is that why its not working?

I also see references to HTTP::expires only applying to version 0 cookies only in the documentation. But how do I know if my cookies aer version 0,1,2. Do I need to do this differently for other cookie versions?

Thanks,
Brad

8 REPLIES 8

Brad_Baker
Nimbostratus
Nimbostratus

I found another article which suggests I may need something more like this. What I am struggling with is how to check of the cookie_version2 cookie exists so we don't repeatedly expire all cookies. Any suggestions on how I can do that?

when HTTP_REQUEST { 
    set request_cookies [HTTP::cookie names] 
}

when HTTP_RESPONSE {
    foreach a_cookie $request_cookies { 
        log local0. "Remove cookie: $a_cookie" 
        HTTP::header insert Set-Cookie "$a_cookie=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;path=/" 
    } 
 
    log local0. "Add cookie cookie_version=1 to track if the cookies have been cleared before or not"
    HTTP::cookie insert name "cookie_version2" value "1" path "/"
    HTTP::cookie attribute cookie_version2 value "expires" "Thu, 09-April-2022 00:00:00 GMT"

    #log local0. "Add dummy cookie to see if cookie deletions is working"
    #HTTP::cookie insert name "dummy_cookie" value "1"  path "/"
    #HTTP::cookie attribute dummy_cookie value "expires" "Thu, 09-April-2022 00:00:00 GMT"
}

 

Brad_Baker
Nimbostratus
Nimbostratus

Seems like this should work but it doesn't 

when HTTP_REQUEST { 
    # If the cookie_version2 cookie doesn't exist get 
    # a list of cookies to be used in the response
    if {not [HTTP::cookie exists "cookie_version2"]} {
        #log local0. "cookie_version2 exists"
        set request_cookies [HTTP::cookie names] 
    }
}

when HTTP_RESPONSE {
    # If there is a list of cookies to delete 
    if {[info exists request_cookies]} {
        #log local0. "Iterating through deleting cookies"
                
        # Iterate thruough them and set the expiry in the past
        foreach a_cookie $request_cookies { 
            #log local0. "Remove cookie: $a_cookie" 
            HTTP::header insert Set-Cookie "$a_cookie=deleted;expires=Thu, 01-Jan-1970 00:00:10 GMT;path=/" 
        } 
     
        # Set a cookie_version2 cookie so we don't run this again.
        #log local0. "Add cookie cookie_versio2=1 to track if the cookies have been cleared before or not"
        HTTP::cookie insert name "cookie_version2" value "1" path "/"
        HTTP::cookie attribute cookie_version2 value "expires" "Thu, 09-April-2022 00:00:00 GMT"
    
        #log local0. "Add dummy cookie to see if cookie deletions is working"
        HTTP::cookie insert name "dummy_cookie" value "1"  path "/"
        HTTP::cookie attribute dummy_cookie value "expires" "Thu, 09-April-2022 00:00:00 GMT"
    }
}

Hi, I've achieved a similar thing recently to delete APM cookies and restart session.  I can confirm the only way to delete cookies on client side is forcing them to expire. Try to see if my code snippet helps you. Also, I'm only removing cookies for specific domain since that was what I needed for my environment, use browser tools to determine whether you need this or not. 

 

when HTTP_REQUEST {
    set refererfound 0

    if {[string tolower [HTTP::header value Referer]] eq "<censored>"}{
        set refererfound 1
        HTTP::header replace Referer ""
        set reqcookies [HTTP::cookie names]
        foreach cookie $reqcookies {
            HTTP::cookie remove $cookie
        }
    }
}

when HTTP_RESPONSE_RELEASE { 
    if {$refererfound eq 1}{
    foreach acookie $reqcookies {
        HTTP::header insert Set-Cookie "$acookie=deleted; domain=<censored>; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/"          
    }
    }
}

 

hey, I'm trying something similar, so if I want to do it for just 1 domain do I just replace your if condition to match the HTTP host? The domain is simple like example.com 

    if {[string tolower [HTTP::header value Referer]] eq "<censored>"}{ #replace with HTTP host instead of referer here? Will that work? 

 

Hello David, syntax-wise it will work; however consider that this will mean cookies will be dropped every time since iRule is executed at every request hit.

If you need "fresh" cookies to be generated and kept in next requests, you might want to consider injecting some cookie yourself, that will allow you to ignore the "cookie drop" on next requests.

I didn't need this in my scenario, since I was only concerned about a very specific HREF call. 

Also, check the Set-Cookie instruction in response release event too, it might require tuning.

This is my post where i want to delete cookies based on domain name . .any thoughts??

https://community.f5.com/t5/technical-forum/remove-cookies-based-on-hostname-from-http-response-poss...

It's not clear to me what you're trying to achieve, if you just need to remove persistence cookie and always rely on pool LB selection method, there is "persist none" iRule instruction. 

If you need to remove all cookies (why?) you can use my iRule, keep in mind this will delete persistence cookie as well. If you need to keep persist cookie, you can set it manually in the iRule with " persist cookie insert my_cookie_name "0d 00:00:00" " instruction and/or write some additional lines to save it & restore it after "cleanup cycle" is performed. 

 

this is just a design thing with 3 domains on a single VS and now they 90% traffic hitting just one of the pool members, so they want to remove persistence for one of the domains only ..

so i guess persist none should do it, right?

never knew about it, thanks.. ill try it out.