Secure cookie iRule is not working as expected

vivek_76299 · ‎13-May-2013

We are using below iRule for making all cookie secure, but it is not working as expected. Below is the issue description. Help e in resolving this issue.

iRule:

when HTTP_RESPONSE {

set cookies [HTTP::cookie names]

Loop through each cookie by name in request

foreach aCookie $cookies {

Replace cookie name from list and set Secure Flag to Enable

log local0. "$aCookie, [HTTP::cookie value $aCookie]"

HTTP::cookie secure $aCookie enable

}

Issue description:

Below is the snippet of one of the set-cookie response.

Cookie sent by IIS server:

Set-Cookie USEREXIST=OMMONFRE; Expires=Sat, 18-May-2013 14:35:03 GMT; Path=/sso_admin; HttpOnly

Cookie after iRule execution:

USEREXIST=OMMONFRE;secure; Expires=Sat,;secure; 18-May-2013 14:35:03;secure; GMT;Secure; Path=/sso_admin; HttpOnly

Logs show that a single set-cookie is being interpreted as multiple set-cookie.

LT Logs:

May 13 09:15:21 tmm info tmm[6840]: Rule /Common/ir_securecookie_log : JSESSIONID, OLbwbxawwZJZVz85YLW+Ng__

May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : USEREXIST, OMMONFRE

May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : Expires, Sat,

May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : GMT,

May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : 18-May-2013, 14:03:16

Thanks,

Vivek.

Kevin_Stewart · ‎13-May-2013

Which TMOS version are you running. I haven't found anything specific to this issue, but assuming it's a bug, I tested your iRule on 11.3 and it produced the correct results.

vivek_76299 · ‎14-May-2013

The version of LTM we are using is "BIG-IP 11.1.0 Build 2027.0 Hotfix HF2".

I have observed that for some cookies it is working fine and for some it fails. Below are some examples.

Successful for below cookie:

Set-Cookie JSESSIONID=xZMgxl1gPyTV0UgpcNUmHA__; Path=/sso_admin; HttpOnly

Failure for below cookies:

Set-Cookie USEREXIST=OMMONFRE; Expires=Sat, 18-May-2013 14:35:03 GMT; Path=/sso_admin; HttpOnly

Set-Cookie USEREXIST=; Expires=Thu, 1-Jan-1970 00:00:10 GMT; Path=/sso_admin; HttpOnly

Let me know if any other information is required.

Thanks,

Vivek.

Kevin_Stewart · ‎17-May-2013

Well, that certainly looks like a bug, as it doesn't appear to affect other versions. I'd recommend opening a case with support. There are workarounds of course, but nothing as clean as what you're already doing.

pallocca_73085 · ‎18-Jun-2013

We ran into this same issue with 11.3 Engineering Hotfix HF5

At this point we just had to disable the secure cookie logic on the LTM and hope the apps set it

cookie coming from the server:

senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; Expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure

after running through the irule logic

senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w;Secure; Path=/; Expires=Tue, 18 Jun;secure; 2013 21:32:02;secure; GMT; HttpOnly; Secure

will be opening a case.

nitass · ‎19-Jun-2013

We ran into this same issue with 11.3 Engineering Hotfix HF5 can you change "Expires" to lower letters on your server? if not, can you try something like this?

e.g.

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.16:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vlans-disabled
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when HTTP_RESPONSE priority 100 {
  set setck [HTTP::header values "Set-Cookie"]
  HTTP::header remove "Set-Cookie"
  foreach item $setck {
    HTTP::header insert "Set-Cookie" "[string map {Expires expires} $item]"
  }
}
when HTTP_RESPONSE {
  set cookies [HTTP::cookie names]
   Loop through each cookie by name in request
  foreach aCookie $cookies {
     Replace cookie name from list and set Secure Flag to Enable
    log local0. "$aCookie, [HTTP::cookie value $aCookie]"
    HTTP::cookie secure $aCookie enable
  }
}
}

 server response (not passing through bigip)

[root@ve11a:Active:Changes Pending] config  curl -I http://200.200.200.101
HTTP/1.1 200 OK
Date: Thu, 20 Jun 2013 03:59:45 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Set-Cookie: foo=1234; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly
Set-Cookie: senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; Expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure
Connection: close
Content-Type: text/html; charset=UTF-8

 response (passing through bigip)

[root@ve11a:Active:Changes Pending] config  curl -I http://172.28.20.16
HTTP/1.1 200 OK
Date: Thu, 20 Jun 2013 03:59:49 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: foo=1234;Secure; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly
Set-Cookie: senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure

nitass · ‎19-Jun-2013

this is side affect of ID386763 (credited to KC).

Bug 386763 - HTTP::cookie remove does not remove whole cookie

DevCentral

Secure cookie iRule is not working as expected