13-May-2013 09:45
We are using below iRule for making all cookie secure, but it is not working as expected. Below is the issue description. Help e in resolving this issue.
iRule:
when HTTP_RESPONSE {
set cookies [HTTP::cookie names]
Loop through each cookie by name in request
foreach aCookie $cookies {
Replace cookie name from list and set Secure Flag to Enable
log local0. "$aCookie, [HTTP::cookie value $aCookie]"
HTTP::cookie secure $aCookie enable
}
}
Issue description:
Below is the snippet of one of the set-cookie response.
Cookie sent by IIS server:
Set-Cookie USEREXIST=OMMONFRE; Expires=Sat, 18-May-2013 14:35:03 GMT; Path=/sso_admin; HttpOnly
Cookie after iRule execution:
USEREXIST=OMMONFRE;secure; Expires=Sat,;secure; 18-May-2013 14:35:03;secure; GMT;Secure; Path=/sso_admin; HttpOnly
Logs show that a single set-cookie is being interpreted as multiple set-cookie.
LT Logs:
May 13 09:15:21 tmm info tmm[6840]: Rule /Common/ir_securecookie_log : JSESSIONID, OLbwbxawwZJZVz85YLW+Ng__
May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : USEREXIST, OMMONFRE
May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : Expires, Sat,
May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : GMT,
May 13 09:15:22 tmm1 info tmm1[6841]: Rule /Common/ir_securecookie_log : 18-May-2013, 14:03:16
Thanks,
Vivek.
13-May-2013 11:37
14-May-2013 02:21
The version of LTM we are using is "BIG-IP 11.1.0 Build 2027.0 Hotfix HF2".
I have observed that for some cookies it is working fine and for some it fails. Below are some examples.
Successful for below cookie:
Set-Cookie JSESSIONID=xZMgxl1gPyTV0UgpcNUmHA__; Path=/sso_admin; HttpOnly
Failure for below cookies:
Set-Cookie USEREXIST=OMMONFRE; Expires=Sat, 18-May-2013 14:35:03 GMT; Path=/sso_admin; HttpOnly
Set-Cookie USEREXIST=; Expires=Thu, 1-Jan-1970 00:00:10 GMT; Path=/sso_admin; HttpOnly
Let me know if any other information is required.
Thanks,
Vivek.
17-May-2013 04:27
18-Jun-2013 14:56
At this point we just had to disable the secure cookie logic on the LTM and hope the apps set it
cookie coming from the server:
senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; Expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure
after running through the irule logic
senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w;Secure; Path=/; Expires=Tue, 18 Jun;secure; 2013 21:32:02;secure; GMT; HttpOnly; Secure
will be opening a case.
19-Jun-2013 21:04
e.g.
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
destination 172.28.20.16:80
ip-protocol tcp
mask 255.255.255.255
pool foo
profiles {
http { }
tcp { }
}
rules {
myrule
}
source 0.0.0.0/0
source-address-translation {
type automap
}
vlans-disabled
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
members {
200.200.200.101:80 {
address 200.200.200.101
}
}
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
when HTTP_RESPONSE priority 100 {
set setck [HTTP::header values "Set-Cookie"]
HTTP::header remove "Set-Cookie"
foreach item $setck {
HTTP::header insert "Set-Cookie" "[string map {Expires expires} $item]"
}
}
when HTTP_RESPONSE {
set cookies [HTTP::cookie names]
Loop through each cookie by name in request
foreach aCookie $cookies {
Replace cookie name from list and set Secure Flag to Enable
log local0. "$aCookie, [HTTP::cookie value $aCookie]"
HTTP::cookie secure $aCookie enable
}
}
}
server response (not passing through bigip)
[root@ve11a:Active:Changes Pending] config curl -I http://200.200.200.101
HTTP/1.1 200 OK
Date: Thu, 20 Jun 2013 03:59:45 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Set-Cookie: foo=1234; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly
Set-Cookie: senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; Expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure
Connection: close
Content-Type: text/html; charset=UTF-8
response (passing through bigip)
[root@ve11a:Active:Changes Pending] config curl -I http://172.28.20.16
HTTP/1.1 200 OK
Date: Thu, 20 Jun 2013 03:59:49 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: foo=1234;Secure; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly
Set-Cookie: senecasid=s%3ADI51IcrxKLhxRsL9TAGodd_K.uLC%2FDbP3FlTDjmT9qYZrk%2FvPe0hTBKkylxPHYc5YdcpThMt1u7wpW6pkXyZszJwvh4zJr0S%2BSAAiJ48YQ8I12w; Path=/; expires=Tue, 18 Jun 2013 21:32:02 GMT; HttpOnly; Secure