Setting HTTP COOkie

You could always set a variable whose value you'd later check in the HTTP_RESPONSE event... If you paste the overall rule you have in mind (e.g. is the cookie inserted as a serverside Set-Cookie, or do you want to insert it on the client side? What profiles do you have in the chain? What are you trying to accomplish?) we can work through it.

 

  
 when CLIENT_ACCEPTED {   
     set tmm_auth_radius_sid [AUTH::start pam default_radius]   
 }   
 when HTTP_REQUEST {   
     set username {encrypt {[HTTP::username]}}   
     if { [HTTP::cookie exists "XYZ"] } {   
         use pool gtwLogin   
         HTTP::release   
     }   
     if { ![HTTP::cookie exists "XYZ"] } {          
         log "in auth block"               
         AUTH::username_credential $tmm_auth_radius_sid [HTTP::username]   
         AUTH::password_credential $tmm_auth_radius_sid [HTTP::password]   
         AUTH::authenticate $tmm_auth_radius_sid   
         if {$tmm_auth_radius_sid eq [AUTH::last_event_session_id]} {   
           log "abt to set auth hdr "   
           set newauth [b64encode [format "%s:%s" [HTTP::username] "xxxx"]]         
           HTTP::header insert Authorization "Basic $newauth"    
         }   
         HTTP::collect   
     }   
 }   
 when AUTH_SUCCESS {   
     if {$tmm_auth_radius_sid eq [AUTH::last_event_session_id]} {   
         log "called release after auth success"   
         [HTTP::cookie value "XYZ2" username]   
         HTTP::release   
     }   
 }   
 when AUTH_FAILURE {   
     if {$tmm_auth_radius_sid eq [AUTH::last_event_session_id]} {   
         HTTP::respond 401   
     }   
 }   
 when AUTH_WANTCREDENTIAL {   
     if {$tmm_auth_radius_sid eq [AUTH::last_event_session_id]} {   
         HTTP::respond 401        
     }   
 }   
 when AUTH_ERROR {   
     if {$tmm_auth_radius_sid eq [AUTH::last_event_session_id]} {   
         HTTP::respond 401   
     }   
 }   
 when HTTP_RESPONSE {   
  
 }   
 

XYZ is the cookie that I have set as the name in the cookie persistence profile. This is not encrypted, so I would like to set another encrypted cookie (XYZ2) with username as its value. I do not know where to include the HTTP:cookie method so that the cookie will get set.

Thanks for your help,

Karthik

I assume you trying to use a cookie to bypass authentication. In this manner, cookie should be set in HTTP_RESPONSE, so client will get it, otherwise HTTP server just would throw it away.

Here is a sample rule you can take a look. It is in database. Certainly, you can have it done in your own style.

 
 when CLIENT_ACCEPTED {  
     set authinsck 0  
     set forceauth 1  
     set ckname BIGXAUTH  
     set ckpass 1xxx5678  
     set ckvalue [IP::client_addr]  
     set ckdomain .y.z  
     set asid [AUTH::start pam default_radius]  
 }  
 when HTTP_REQUEST {  
     if {[HTTP::cookie exists $ckname]} {  
         HTTP::cookie decrypt $ckname $ckpass 128  
         if {[HTTP::cookie value $ckname] eq $ckvalue} {  
             set forceauth 0  
         }  
         HTTP::cookie remove $ckname  
     }  
     if {$forceauth eq 1} {  
         AUTH::username_credential $asid [HTTP::username]  
         AUTH::password_credential $asid [HTTP::password]  
         AUTH::authenticate $asid  
         HTTP::collect  
     }  
 }  
 when HTTP_RESPONSE {  
     if {$authinsck eq 1} {  
         HTTP::cookie insert name $ckname value $ckvalue path / domain $ckdomain  
         HTTP::cookie secure $ckname enable  
         HTTP::cookie encrypt $ckname $ckpass 128  
     }  
 }  
 when AUTH_SUCCESS {  
     if {$asid eq [AUTH::last_event_session_id]} {  
         set authinsck 1  
         HTTP::release  
     }  
 }  
 when AUTH_FAILURE {  
     if {$asid eq [AUTH::last_event_session_id]} {  
         HTTP::respond 401 "WWW-Authenticate" "Basic realm=\"\""  
     }  
 }  
 when AUTH_WANTCREDENTIAL {  
     if {$asid eq [AUTH::last_event_session_id]} {  
         HTTP::respond 401 "WWW-Authenticate" "Basic realm=\"\""  
     }  
 }  
 when AUTH_ERROR {  
     if {$asid eq [AUTH::last_event_session_id]} {  
         HTTP::respond 401  
     }  
 }  
 

Thanks for your reply. But I have one problem with your code, this block of code is not working

 

 

if {[HTTP::cookie exists $ckname]} {

 

HTTP::cookie decrypt $ckname $ckpass 128

 

if {[HTTP::cookie value $ckname] eq $ckvalue} {

 

 

 

actually if I try to log [HTTP::cookie exists $ckname], I get 0. but I can see the cookie being set in the browser.

 

 

Also some of the code in the forum, uses decrpt for decryption instead of decrypt

 

 

Again lack of documentation is costing value time.

 

 

 

Thanks for your help,

 

karthik

I don't know why, it is likely your brower did not send the cookie. Try to remove line

 

HTTP::cookie secure $ckname enable

 

And if possible, use sniffer to see if there is a cookie sent. At this level of iRULE complication, should spend some time to figure out all details, like COOKIE validation, expiration, which is at your option.

 

The rule posted is just an example.

Did you update the domain to match the domain associated with your VIP?

 

The browser will only return the cookie if the domain matches. This is likely why you are not seeing the cookie in the request, but you do see it on the client.

 

 

It's "decrypt". That was likely a typo in someone else's forum posting.

 

 

Yes, we are updating the documentation available on AskF5, however, they have had the challenge of keeping up with new commands that are not necessarily known or completely tested at the time the documentation is published.

 

 

This is one of the reasons we invested time in this forum, especially as a place to disseminate information that is unclear, incomplete and/or late-breaking.

 

Thanks Gentlemen for all your help.