Forum Discussion

vivek_76299's avatar
vivek_76299
Icon for Nimbostratus rankNimbostratus
May 13, 2013

Secure cookie iRule is not working as expected

 

We are using below iRule for making all cookie secure, but it is not working as expected. Below is the issue description. Help e in resolving this issue.

 

 

 

iRule:

 

when HTTP_RESPONSE {

 

set cookies [HTTP::cookie names]

 

Loop through each cookie by name in request

 

foreach aCookie $cookies {

 

Replace cookie name from list and set Secure Flag to Enable

 

log local0. "$aCookie, [HTTP::cookie value $aCookie]"

 

HTTP::cookie secure $aCookie enable

 

}

 

}

 

 

Issue description:

 

 

Below is the snippet of one of the set-cookie response.

 

 

Cookie sent by IIS server:

 

Set-Cookie USEREXIST=OMMONFRE; Expires=Sat, 18-May-2013 14:35:03 GMT; Path=/sso_admin; HttpOnly

 

 

Cookie after iRule execution:

 

USEREXIST=OMMONFRE;secure; Expires=Sat,;secure; 18-May-2013 14:35:03;secure; GMT;Secure; Path=/sso_admin; HttpOnly

 

 

Logs show that a single set-cookie is being interpreted as multiple set-cookie.

 

 

LT Logs:

 

May 13 09:15:21 tmm info tmm[6840]: Rule /Common/ir_securecookie_log : JSESSIONID, OLbwbxawwZJZVz85YLW+Ng__

 

May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : USEREXIST, OMMONFRE

 

May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : Expires, Sat,

 

May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : GMT,

 

May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : 18-May-2013, 14:03:16

 

 

 

Thanks,

 

Vivek.

 

6 Replies

  • Which TMOS version are you running. I haven't found anything specific to this issue, but assuming it's a bug, I tested your iRule on 11.3 and it produced the correct results.
  • The version of LTM we are using is "BIG-IP 11.1.0 Build 2027.0 Hotfix HF2".

     

    I have observed that for some cookies it is working fine and for some it fails. Below are some examples.

     

     

    Successful for below cookie:

     

    Set-Cookie JSESSIONID=xZMgxl1gPyTV0UgpcNUmHA__; Path=/sso_admin; HttpOnly

     

     

    Failure for below cookies:

     

     

    Set-Cookie USEREXIST=OMMONFRE; Expires=Sat, 18-May-2013 14:35:03 GMT; Path=/sso_admin; HttpOnly

     

    Set-Cookie USEREXIST=; Expires=Thu, 1-Jan-1970 00:00:10 GMT; Path=/sso_admin; HttpOnly

     

     

     

    Let me know if any other information is required.

     

     

    Thanks,

     

    Vivek.

     

     

     

  • Well, that certainly looks like a bug, as it doesn't appear to affect other versions. I'd recommend opening a case with support. There are workarounds of course, but nothing as clean as what you're already doing.
  • We ran into this same issue with 11.3 Engineering Hotfix HF5

     

     

    At this point we just had to disable the secure cookie logic on the LTM and hope the apps set it

     

     

    cookie coming from the server:

     

     

    senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; Expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure

     

     

    after running through the irule logic

     

     

    senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w;Secure; Path=/; Expires=Tue, 18 Jun;secure; 2013 21:32:02;secure; GMT; HttpOnly; Secure

     

     

    will be opening a case.
  • We ran into this same issue with 11.3 Engineering Hotfix HF5 can you change "Expires" to lower letters on your server? if not, can you try something like this?

    e.g.

    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.20.16:80
        ip-protocol tcp
        mask 255.255.255.255
        pool foo
        profiles {
            http { }
            tcp { }
        }
        rules {
            myrule
        }
        source 0.0.0.0/0
        source-address-translation {
            type automap
        }
        vlans-disabled
    }
    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo
    ltm pool foo {
        members {
            200.200.200.101:80 {
                address 200.200.200.101
            }
        }
    }
    root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
    ltm rule myrule {
        when HTTP_RESPONSE priority 100 {
      set setck [HTTP::header values "Set-Cookie"]
      HTTP::header remove "Set-Cookie"
      foreach item $setck {
        HTTP::header insert "Set-Cookie" "[string map {Expires expires} $item]"
      }
    }
    when HTTP_RESPONSE {
      set cookies [HTTP::cookie names]
       Loop through each cookie by name in request
      foreach aCookie $cookies {
         Replace cookie name from list and set Secure Flag to Enable
        log local0. "$aCookie, [HTTP::cookie value $aCookie]"
        HTTP::cookie secure $aCookie enable
      }
    }
    }
    
     server response (not passing through bigip)
    
    [root@ve11a:Active:Changes Pending] config  curl -I http://200.200.200.101
    HTTP/1.1 200 OK
    Date: Thu, 20 Jun 2013 03:59:45 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Thu, 23 May 2013 00:28:46 GMT
    ETag: "4185a8-59-c3efab80"
    Accept-Ranges: bytes
    Content-Length: 89
    Set-Cookie: foo=1234; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly
    Set-Cookie: senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; Expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
     response (passing through bigip)
    
    [root@ve11a:Active:Changes Pending] config  curl -I http://172.28.20.16
    HTTP/1.1 200 OK
    Date: Thu, 20 Jun 2013 03:59:49 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Thu, 23 May 2013 00:28:46 GMT
    ETag: "4185a8-59-c3efab80"
    Accept-Ranges: bytes
    Content-Length: 89
    Connection: close
    Content-Type: text/html; charset=UTF-8
    Set-Cookie: foo=1234;Secure; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly
    Set-Cookie: senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure
    
    
  • this is side affect of ID386763 (credited to KC).

     

     

    Bug 386763 - HTTP::cookie remove does not remove whole cookie