cancel
Showing results for 
Search instead for 
Did you mean: 

Cookie bug in ProxyPass V10 iRule ?

Jobec_45051
Nimbostratus
Nimbostratus
Hi All,

 

 

I think I've found a bug concerning cookies in the ProxyPass v10 iRule (http://devcentral.f5.com/wiki/iRules.ProxyPassv10.ashx).

 

 

We had a Safari browser not honoring the domain attribute of our cookies. I then found out it was because there was a dot at the end of the domain attribute. When reviewing RFC 6265 about cookies (http://tools.ietf.org/html/rfc6265) I can see that this is expected behavior. Chapter 4.1.2.3. The Domain Attribute of the RFC states:

 

 

"but a trailing %x2E ("."), if present, will cause the user agent to ignore the attribute."

 

 

So I think line 413 of the iRule should be something like:

 

set elementvalue [string trimright $elementvalue "."]

 

 

and line 420:

 

set elementvalue ".$elementvalue"

 

 

Is there anyone else that ran into this problem before? Setting the domain attribute isn't that common of course.

 

2 REPLIES 2

René_Geile
Cirrus
Cirrus

This bug seems to be still present in v10.9 of the iRule. The second comand is wrong in v10.9:

 

v10.9 Line 429 is wrong: append elementvalue "."

 

v10.9 Line 429 corrected: set elementvalue ".$elementvalue"

 

wendelyes
Nimbostratus
Nimbostratus

Hello,

I am affected by this bug but I have a little different behavior. The browser (chrome) instead of not honoring the domain attribute, is discarding the cookie because the domain does not match. The browser is showing: "This attempt to set a cookie via a Set-Cookie header was blocked because its Domain attribute was inbalid with regards to the current host url"

 

Regarding the code, line 413 is removing the trailing "." and line 420 is adding it again so I am not sure if this is intended or a mistake. Why line 420 should add a leading "." if line line 413 removed a trailing "."?

In my opinion, I think that line 413 and 420 should be removed. And probaly add new code to add leading or trailing "." if the original domain contains it.

 

Regards