Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology

Need help over cookie removal over http request

Hi All,
we are running BIG-IP 11.6 and we are using iRule to insert additional cookie and then remove a specific cookie. The addition (session) works great but the iRule to remove the cookie simply does not work. 
The iRules we have in place looks like
So I'm attempting to remove a cookie, nothing to fancy.
I've got this basic irule:
The iRule should look for a header with cookie Mycookie should remove the cookie 
Despite that I can see the cookie available using firebug etc the cookie never gets removed by the HTTP::cookie remove command since it seems the cookie does not exist here. I know the header exists and the rule is triggered
No matter what, the cookie persists. What am I doing wrong?
I can see the cookie Mycookie over the request header 

     when HTTP_REQUEST {
          if { [HTTP::uri] contains "newAdmin" } 
            if { [HTTP::cookie exists "Mycookie "] }             {
           #check for cookie existence over the header.
            HTTP::cookie remove "Mycookie"
            pool 81_pool

            elseif { [HTTP::uri] contains "Admin" } {
            set newadmin_cookie "bigip_mycookie1"
            pool pool 81_pool


newAdmin & admin is a parameter name in the query string that i want to check the value for

Rate this Discussion

Replies to this Discussion


That's actually a pretty common misconception. What I think you're trying to do is remove the cookie from the browser, but you're doing HTTP::cookie remove command in the HTTP_REQUEST event, which is an ingress flow event. This command in this event will remove this cookie from the request being sent to the server. It will have no effect on the client's possession of said cookie. What you would need to do is attach your code to the HTTP_RESPONSE egress flow event. But it's actually more fun than that. When a server sends a cookie to a client, it does so in a Set-Cookie HTTP header. When the client sends that cookie back, it does so in a Cookie HTTP header. The HTTP::cookie remove in the HTTP_REQUEST context removes the Cookie header coming from the client. The HTTP::cookie remove in the HTTP_RESPONSE context removes the Set-Cookie header coming from the server (if it exists - the server may only ever send the Set-Cookie in one response). So to get rid of the cookie in the browser you have to do two things:

  1. Put your code in the HTTP_RESPONSE egress flow event - if your logic is being triggered in the ingress flow (ie. the cookie exists in the request and now you want to remove it), then you can set a temporary variable in the request event and look for it in the response event

  2. Use the HTTP::cookie insert command to effectively expire the existing browser cookie

    when HTTP_REQUEST {
        if { [HTTP::cookie exists FOO] } {
            set unsetcookie 1
    when HTTP_RESPONSE {
        if { [info exists unsetcookie] } {
            HTTP::cookie insert name FOO value null path /
            HTTP::cookie expires FOO 0 relative
            unset unsetcookie

    It's important here that you give the new cookie the same name and path attributes as the original. This will send a new Set-Cookie header for the same (existing) browser cookie but add and expires attribute that will cause the browser to delete that cookie from its cache.

Comments on this Reply
Comment made 27-Aug-2015 by Stanislas Piron 10236
Hi, HTTP::cookie expires FOO 0 relative will define cookie time and date to F5 local time. if browser and F5 clock are not synchronized, the cookie may expire later. HTTP::cookie expires FOO 0 absolute will define cookie time and date to "Thu, 01-Jan-1970 00:00:00 GMT" which is always expired
Comment made 27-Aug-2015 by Kevin Stewart
Good point.

I came across this looking to remove the cookie. Why does expiring the cookie work for me, but I am unable to remove?