cancel
Showing results for 
Search instead for 
Did you mean: 

Secure cookie iRule is not working as expected

vivek_76299
Nimbostratus
Nimbostratus

 

We are using below iRule for making all cookie secure, but it is not working as expected. Below is the issue description. Help e in resolving this issue.

 

 

 

iRule:

 

when HTTP_RESPONSE {

 

set cookies [HTTP::cookie names]

 

Loop through each cookie by name in request

 

foreach aCookie $cookies {

 

Replace cookie name from list and set Secure Flag to Enable

 

log local0. "$aCookie, [HTTP::cookie value $aCookie]"

 

HTTP::cookie secure $aCookie enable

 

}

 

}

 

 

Issue description:

 

 

Below is the snippet of one of the set-cookie response.

 

 

Cookie sent by IIS server:

 

Set-Cookie USEREXIST=OMMONFRE; Expires=Sat, 18-May-2013 14:35:03 GMT; Path=/sso_admin; HttpOnly

 

 

Cookie after iRule execution:

 

USEREXIST=OMMONFRE;secure; Expires=Sat,;secure; 18-May-2013 14:35:03;secure; GMT;Secure; Path=/sso_admin; HttpOnly

 

 

Logs show that a single set-cookie is being interpreted as multiple set-cookie.

 

 

LT Logs:

 

May 13 09:15:21 tmm info tmm[6840]: Rule /Common/ir_securecookie_log : JSESSIONID, OLbwbxawwZJZVz85YLW+Ng__

 

May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : USEREXIST, OMMONFRE

 

May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : Expires, Sat,

 

May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : GMT,

 

May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : 18-May-2013, 14:03:16

 

 

 

Thanks,

 

Vivek.

 

6 REPLIES 6

Kevin_Stewart
F5 Employee
F5 Employee
Which TMOS version are you running. I haven't found anything specific to this issue, but assuming it's a bug, I tested your iRule on 11.3 and it produced the correct results.

vivek_76299
Nimbostratus
Nimbostratus

The version of LTM we are using is "BIG-IP 11.1.0 Build 2027.0 Hotfix HF2".

 

I have observed that for some cookies it is working fine and for some it fails. Below are some examples.

 

 

Successful for below cookie:

 

Set-Cookie JSESSIONID=xZMgxl1gPyTV0UgpcNUmHA__; Path=/sso_admin; HttpOnly

 

 

Failure for below cookies:

 

 

Set-Cookie USEREXIST=OMMONFRE; Expires=Sat, 18-May-2013 14:35:03 GMT; Path=/sso_admin; HttpOnly

 

Set-Cookie USEREXIST=; Expires=Thu, 1-Jan-1970 00:00:10 GMT; Path=/sso_admin; HttpOnly

 

 

 

Let me know if any other information is required.

 

 

Thanks,

 

Vivek.

 

 

 

Kevin_Stewart
F5 Employee
F5 Employee
Well, that certainly looks like a bug, as it doesn't appear to affect other versions. I'd recommend opening a case with support. There are workarounds of course, but nothing as clean as what you're already doing.

pallocca_73085
Nimbostratus
Nimbostratus
We ran into this same issue with 11.3 Engineering Hotfix HF5

 

 

At this point we just had to disable the secure cookie logic on the LTM and hope the apps set it

 

 

cookie coming from the server:

 

 

senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; Expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure

 

 

after running through the irule logic

 

 

senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w;Secure; Path=/; Expires=Tue, 18 Jun;secure; 2013 21:32:02;secure; GMT; HttpOnly; Secure

 

 

will be opening a case.

nitass
F5 Employee
F5 Employee
We ran into this same issue with 11.3 Engineering Hotfix HF5 can you change "Expires" to lower letters on your server? if not, can you try something like this?

 

 

e.g.

 

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar ltm virtual bar { destination 172.28.20.16:80 ip-protocol tcp mask 255.255.255.255 pool foo profiles { http { } tcp { } } rules { myrule } source 0.0.0.0/0 source-address-translation { type automap } vlans-disabled } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo ltm pool foo { members { 200.200.200.101:80 { address 200.200.200.101 } } } root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule ltm rule myrule { when HTTP_RESPONSE priority 100 { set setck [HTTP::header values "Set-Cookie"] HTTP::header remove "Set-Cookie" foreach item $setck { HTTP::header insert "Set-Cookie" "[string map {Expires expires} $item]" } } when HTTP_RESPONSE { set cookies [HTTP::cookie names] Loop through each cookie by name in request foreach aCookie $cookies { Replace cookie name from list and set Secure Flag to Enable log local0. "$aCookie, [HTTP::cookie value $aCookie]" HTTP::cookie secure $aCookie enable } } } server response (not passing through bigip) [root@ve11a:Active:Changes Pending] config curl -I http://200.200.200.101 HTTP/1.1 200 OK Date: Thu, 20 Jun 2013 03:59:45 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Thu, 23 May 2013 00:28:46 GMT ETag: "4185a8-59-c3efab80" Accept-Ranges: bytes Content-Length: 89 Set-Cookie: foo=1234; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly Set-Cookie: senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; Expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure Connection: close Content-Type: text/html; charset=UTF-8 response (passing through bigip) [root@ve11a:Active:Changes Pending] config curl -I http://172.28.20.16 HTTP/1.1 200 OK Date: Thu, 20 Jun 2013 03:59:49 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Thu, 23 May 2013 00:28:46 GMT ETag: "4185a8-59-c3efab80" Accept-Ranges: bytes Content-Length: 89 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: foo=1234;Secure; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly Set-Cookie: senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure

nitass
F5 Employee
F5 Employee

this is side affect of ID386763 (credited to KC).

 

 

Bug 386763 - HTTP::cookie remove does not remove whole cookie