Forum Discussion
Kai_Wilke
Jan 11, 2017MVP
Hi Steve,
1.) Using an iRule is the only way to sanitize HTTP-request cookies. 2a.) If you need to whitelist less than 5 cookie names, then
[if]
is probably the best choice.
when HTTP_REQUEST {
foreach cookie [HTTP::cookie names] {
if { not ( ( $cookie starts_with "f5" )
or ( $cookie starts_with "" )
or ( $cookie starts_with "" )
or ( $cookie starts_with "" )
or ( $cookie starts_with "" ) ) } then {
HTTP::cookie remove $cookie
log local0. "Removing cookie $cookie"
}
}
}
2b.) If you need to whitelist more than 5 but less than 50 cookie names , then
[switch -glob]
is probably the best choice.
when HTTP_REQUEST {
foreach cookie [HTTP::cookie names] {
switch -glob -- $cookie {
"f5*" -
"*" -
"*" -
"*" -
"*" -
"*" -
"*" -
"*" -
"*" -
"*" {
Keep the cookie...
}
default {
HTTP::cookie remove $cookie
log local0. "Removing cookie $cookie"
}
}
}
}
2c.) If you need to whitelist more than 50 cookie names , then
[class]
(aka. data-groups) is probably the best choice.
ltm data-group internal DataGroup_Cookie_Whitelist {
records {
"f5" {}
"" {}
"" {}
"" {}
"" {}
"" {}
"" {}
"" {}
"" {}
"" {}
}
type string
}
when HTTP_REQUEST {
foreach cookie [HTTP::cookie names] {
if { not ( [class match $cookie starts_with "DataGroup_Cookie_Whitelist"] ) } then {
HTTP::cookie remove $cookie
log local0. "Removing cookie $cookie"
}
}
}
Note: The mentioned "best-choice" is purely based on performance data. Personal preferences may result in different "best-choices" 😉
Cheers, Kai