Remove all Cookies incase based on specific condition

Abdulaziz1 · ‎23-Jul-2023

We've a requimrent to flush all cookies from the user session incase a user deleted one cookie from client browser.

why such request, our web servers have some security restrictions to have both cookies in reqeust for session to be valid "JSESSIONID & LtpaToken2".

incase a user deleted "LtpaToken2", then the "JSESSIONID" must be deleted else user will get the web server error code.

Please need your support to suggest the way to flush all cookies incase LtpaToken2 is removed and if we can add more condiations such as : refere contains /wps/portal/.

we've tried below but didn't work:

when HTTP_REQUEST {
if { ( [HTTP::uri] starts_with "/wps/myportal/" ) and ( [HTTP::cookie exists "JSESSIONID"] ) and ( not [HTTP::cookie exists "LtpaToken2"] ) } {
log local0. "Remove cookie JSESSIONID From Request as LtpaToken2 is not present"
HTTP::cookie remove "JSESSIONID"
HTTP::redirect https://www.mysite.com/landing.html
}

}

mihaic · ‎24-Jul-2023

can you try this :

if { ( [HTTP::uri] starts_with "/wps/myportal/" ) and ( [HTTP::cookie exists "JSESSIONID"] ) and not ( [HTTP::cookie exists "LtpaToken2"] ) }

Abdulaziz1 · ‎26-Jul-2023

I've tried the suggested change, but still same issue cookie presists

whisperer · ‎24-Jul-2023

Wrong approach. You need to instruct the web browser to invalidate the cookie. Take a look ar the following thread:

https://community.f5.com/t5/technical-forum/irule-delete-cookie-value-on-a-302-redirect/td-p/82205

In your iRule example, you are only stripping the cookie from being passed between the client and the F5. The cookie would still reside on the client machine.

Abdulaziz1 · ‎26-Jul-2023

could you plz post a sample irule as a guidance, as this kind of irules is new to us

DevCentral

Remove all Cookies incase based on specific condition

MFA required on DevCentral