Hi. We'd like to change the expiration date of a Cookie when a client comes in with a certain Useragent-string. Normally our users just get the default Cookie which expires after the session. So I thought, nothing easier than that: when HTTP_REQUEST { if {([HTTP::header User-Agent] contains "LEO")} { HTTP::cookie expires Cookiename_Test 18144000 } } But this doesn't work. Actually it completely rejects the useragent. I tried different variations, by changing the Time-format, by using "persist" and all the attached options, but none did work. Can someone tell me what is wrong with this iRule? I might just oversee something. Although the f5 isn't complaining about any syntactical issues. thx. Markus

Hi Markus, The cookie in the request only contains a name and value. The expiration property is set by the server (or LTM) in responses. If you want to modify the cookie's expiration time, you'd need to check for the cookie in the response. You could do something like this: when HTTP_REQUEST { Check the User-Agent string if { [string tolower [HTTP::header User-Agent]] contains "leo" } { Set a variable to check the cookie in the response set check_cookie 1 } else { Set a variable to check the cookie in the response set check_cookie 0 } } when HTTP_RESPONSE { Check if cookie exists if { $check_cookie && [HTTP::cookie exists "Cookiename_Test"]}{ Update cookie expiry time HTTP::cookie expires Cookiename_Test 18144000 } } If that doesn't work as you expect, try adding logging of the requests/user-agents/cookies in the request and response. You could also use a browser plugin like HttpFox for Firefox or Fiddler for IE to see which cookies are being set/received. Aaron

Hi Hoolio. Thank you very much. This seemed to be the right solution. But unfortunately it doesn't update the cookie if we have one already. If I delete the cookie and access the page, the it works although. Markus

Is it a cookie being set by LTM or by the web application? If the latter, is it a web app behind the VIP this iRule is added to? The iRule would only take effect once it's been added to the VIP and only affect the cookies being set after the iRule is added. If the cookie has already been set with no expiry time, I'm not sure how you'd have to set a new cookie to expire if the previous time it was set without an expiry time. For telling the client to delete cookies the name, value and path must match the previously set cookie. Aaron

It is a cookie set by the LTM. It is not set explicitly without expiry time, but it is just a standard LTM Cookie which expires by closing the browser.

I found out, that in the Apache-logs the useragent-string looks like this: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.1.5) Gecko/20091109 Ubuntu/9.10 (karmic) Firefox/3.5.5; LEOtrace This is when I use the site with my browser. This LEOtrace is a Useragent given by a proxy which is in between. The LEO-part comes very far at the end. Could that be a problem? Although I use "contains" in the iRule as you suggested. I also tried "leotrace" btw, but that didn't work either.

cookie expire | DevCentral

19 Replies

hooleylist
Cirrostratus
Dec 02, 2009
That sounds like a TCP reset being sent from the server side. Can you check the /var/log/ltm log file for any run time TCL errors?

Aaron
mpfeifer_63884
Nimbostratus
Dec 02, 2009
It says:

"Dec 2 15:38:28 tmm tmm[1649]: 01220001:3: TCL error: nurago - can't use empty string as operand of "&&" while executing "if { [HTTP::cookie exists "Cookie_Test"] and [HTTP::cookie value "1768816906.20480.0000"] } { HTTP::cookie expires Cookie_Tes...""

This makes sense when I come with no cookie at all. So I added an "else" saying "use pool pool2". But still the same error (also in the ltm-log). Using the trial_and_error method I tool out the '[HTTP::cookie exists "Cookie_Test] and' to leave just one Testoperator, but then I get the following in the Logs:

"Dec 2 15:47:22 tmm tmm[1649]: 01220001:3: TCL error: nurago - expected boolean value but got "" while executing "if { [HTTP::cookie value "1768816906.20480.0000"] } { HTTP::cookie expires Cookie_Test 18144000 } else { use ...""
hooleylist
Cirrostratus
Dec 02, 2009
Sorry, I should have noticed that before. I think this is what you're trying to do:

[HTTP::cookie value "Cookie_Test"] eq "1718485258.20480.0000"

I don't think you need to check if the cookie exists first, as HTTP::cookie value will return a null length string even if the cookie name doesn't exist.

Aaron
mpfeifer_63884
Nimbostratus
Dec 04, 2009
Thank you Aaron. OK, this kind of works. But still is not my favourite way to handle the whole thing.

Isn't there a way to already set the Cookie at the first Request already instead of waiting for the response?

I tried a few options:

when LB_SELECTED { if {[IP::addr [LB::server addr] equals 10.1.110.105] } { persist cookie insert Cookie_Test 18144000 } }

What I am trying to do here:

When the member 10.1.110.105 gets selected to direct the traffic to, then set Cookie with expirydate.

But it doesn't set the expiry-date of the cookie, instead they get the normal default session-cookie

A similar idea was the following:

when HTTP_REQUEST { if { [LB::status pool preview99 member 10.1.110.105 80] eq "up" } { persist cookie insert Cookie_Test 18144000 } }

If the specified member in pool preview99 is up, give the special expiry cookie.

But this gives the Cookie with exprydate to all members in the pool and not only to 10.1.110.105

Probably because for the LB it is only important if that member is up, regardless if he is going to use it or not.

I must be overseeing something.

Does someone have an idea?

hooleylist

Cirrostratus

Dec 04, 2009

I would have expected this rule to work for you:

 
 when LB_SELECTED {  
    if {[IP::addr [LB::server addr] equals 10.1.110.105] } {  
       persist cookie insert Cookie_Test 18144000  
    }  
 }

I tried testing on 9.3.1 and 10.0.1, but couldn't set the cookie timeout from an iRule. You might try opening a case with F5 Support on this.

As a workaround, you could try something like this:

 
 when HTTP_RESPONSE { 
    log local0. "[IP::client_addr]:[TCP::client_port]: Set-Cookie: [HTTP::header values Set-Cookie]" 
  
    if {[HTTP::cookie exists $my_persist_cookie] && [IP::server_addr]:[TCP::server_port] eq "10.1.110.105:80"}{ 
       HTTP::cookie expires $my_persist_cookie 86400 
    } 
    log local0. "[IP::client_addr]:[TCP::client_port]: Set-Cookie: [HTTP::header values Set-Cookie]" 
 }

Aaron

mpfeifer_63884

Nimbostratus

Dec 09, 2009

Hi Hoolio. Thank you very much.

Unfortunately I cannot insert this iRule, because when I am saving it I get the error:

 
 line 4: [parse error: PARSE syntax 206 {syntax error in expression "[HTTP::cookie exists Cookie_Test] && [IP::s...": extra tokens at end of expression}] [{[HTTP::cookie exists Cookie_Test] && [IP::server_addr]:[TCP::server_port] eq "10.1.110.105:80"}]

And I can't figure out what is wrong.

hooleylist

Cirrostratus

Dec 09, 2009

Sorry, can you try this with the IP:port wrapped in double quotes:

 
  when HTTP_RESPONSE {  
     log local0. "[IP::client_addr]:[TCP::client_port]: Set-Cookie: [HTTP::header values Set-Cookie]"  
    
     if {[HTTP::cookie exists $my_persist_cookie] && "[IP::server_addr]:[TCP::server_port]" eq "10.1.110.105:80"}{  
        HTTP::cookie expires $my_persist_cookie 86400  
     }  
     log local0. "[IP::client_addr]:[TCP::client_port]: Set-Cookie: [HTTP::header values Set-Cookie]"  
  }

Thanks,

Aaron

mpfeifer_63884
Nimbostratus
Dec 10, 2009
Hi Aaron. This accepts the iRule in the GUI, but it doesn't update the cookie. Hm.
mpfeifer_63884
Nimbostratus
Dec 10, 2009
I meant: the cookie doesn't get updated.

It gets a cookie with the special expiration date, but at the second request, the expiration-date doesn't get updated.

And also if a normal Session-cookie (without expiration-date) exists, it doesn't update it with the new one.

Forum Discussion

cookie expire

19 Replies

Recent Discussions

GCP F5 deployment - Active -Active with config Sync

Deleting Old Certs

BUG Query

GSLB - Monitoring LTM VIP load balancing via iRule

Hybrid Exchange traffic and Starttls

Related Content

LTM Certificate expire

Expired ssl warning

Identify and cleanse expired and soon to expire certs from BIG-IP

Cookie-based DDoS protection

Cache Expire