LTM 11.1.0 Cookie httponly flag TCL errors

Question

All,&nbsp;
Have deploy cookie httponly flag for PCI compliance.  New irule takes down the website when applied.  I am running http classes and i had to do httpclass disable for other irules.  Has anyone run into this issue?&nbsp;
Thanks,&nbsp;
Bryce&nbsp;
when HTTP_RESPONSE {&nbsp;
 &nbsp;
    Check if the response contains the persistence cookie&nbsp;
   if {[HTTP::cookie BIGipServerWeblogic_Pool_STAGING] ne ""}{&nbsp;
 &nbsp;
           Set the httponly flag on the persistence cookie if it is in the response&nbsp;
          HTTP::cookie httponly BIGipServerWeblogic_Pool_STAGING enable&nbsp;
   }&nbsp;
}&nbsp;
TCL Errors&nbsp;
Jun 19 18:07:14 tmm2 err tmm2[8165]: 01220001:3: TCL error: /Common/BBB_Staging_Cookie_Flag  - Improper version (line 7)     invoked from within "HTTP::cookie httponly BIGipServerWeblogic_Pool_STAGING enable"&nbsp;
Jun 19 18:07:14 tmm err tmm[8163]: 01220001:3: TCL error: /Common/BBB_Staging_Cookie_Flag  - Improper version (line 1)     invoked from within "HTTP::cookie httponly BIGipServerWeblogic_Pool_STAGING enable"&nbsp;
Jun 19 18:07:17 tmm2 err tmm2[8165]: 01220001:3: TCL error: /Common/BBB_Staging_Cookie_Flag  - Improper version (line 5)     invoked from within "HTTP::cookie httponly BIGipServerWeblogic_Pool_STAGING enable"&nbsp;
Jun 19 18:07:29 tmm3 err tmm3[8166]: 01220001:3: TCL error: /Common/BBB_Staging_Cookie_Flag  - Improper version (line 7)     invoked from within "HTTP::cookie httponly BIGipServerWeblogic_Pool_STAGING enable"&nbsp;
 &nbsp;
 &nbsp;

hooleylist · Answer

Hey Bryce, 
  
 Sorry for the slow reply on this.  I got sidetracked.  Because HttpOnly can only be set for cookies with version 1 or 2 and the default version is 0, this is probably the cause of the problem.  Can you set the version to 1 first:

Set HttpOnly on all LTM and app generated cookies
when HTTP_RESPONSE {
   set cookieNames [HTTP::cookie names]
   foreach aCookie $cookieNames {
      HTTP::cookie version $aCookie 1
      HTTP::cookie httponly $aCookie enable
   }
}

Or just for one statically defined cookie:
when HTTP_RESPONSE {
   HTTP::cookie version myCookie 1
   HTTP::cookie httponly myCookie enable
}

Aaron

nitass · Answer

i got illegal argument error on HTTP::cookie version. 
  
 Jun 21 14:27:01 ve11a err tmm1[10969]: 01220001:3: TCL error: /Common/myrule  - Illegal argument (line 1)     invoked from within "HTTP::cookie version BIGipServerfoo 1"

so, i remove cookie and add it back later. 
  
 e.g. 
 [root@ve11a:Active:Changes Pending] config  tmsh list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.16:80
    ip-protocol tcp
    mask 255.255.255.255
    persist {
        cookie {
            default yes
        }
    }
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vlans-disabled
}
[root@ve11a:Active:Changes Pending] config  tmsh list ltm rule myrule
ltm rule myrule {
    when HTTP_RESPONSE {
  if { [HTTP::cookie BIGipServerfoo] ne "" } {
    set ck_value [HTTP::cookie value BIGipServerfoo]
    set ck_path [HTTP::cookie path BIGipServerfoo]
    HTTP::cookie remove BIGipServerfoo
    HTTP::cookie insert name BIGipServerfoo value $ck_value path $ck_path version 1
    HTTP::cookie httponly BIGipServerfoo enable
  }
}
}

[root@ve11a:Active:Changes Pending] config  curl -I http://172.28.20.16
HTTP/1.1 200 OK
Date: Fri, 21 Jun 2013 06:58:06 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: BIGipServerfoo=1707657416.20480.0000;HttpOnly;Path=/;Version=1;

bryce_halkerst1 · Answer

Aaron, 
&nbsp; Thanks for you quick response.  I just need the httponly flag for 2 cookies. Going to perform the following iRule on staging.  
&nbsp; Thanks, 
&nbsp; Bryce 
&nbsp;  
&nbsp; when HTTP_RESPONSE {  
&nbsp;   
&nbsp;       Check if the response contains the Foo cookie  
&nbsp;      if {[HTTP::cookie BIGipServerWeblogic_Foo] ne ""}{  
&nbsp;       HTTP::cookie version BIGipServerWeblogic_Foo 1  
&nbsp;       HTTP::cookie httponly BIGipServerWeblogic_Foo enable }  
&nbsp;             
&nbsp;       Check if the response contains the FooBoo cookie 
&nbsp;      if {[HTTP::cookie FooBoo] ne ""}{  
&nbsp;       HTTP::cookie version FooBoo 1  
&nbsp;       HTTP::cookie httponly FooBoo enable }  
&nbsp;  
&nbsp;      } 
&nbsp; }

galky_104921 · Answer

I get the same error - illegal argument error on HTTP::cookie version. 
Any solution?&nbsp;

boneyard · Answer

have you read the replies above, one solution would be to set the version. did that work for you?

Forum Discussion

LTM 11.1.0 Cookie httponly flag TCL errors

5 Replies

Recent Discussions

import live updates from version x to version y

Tenant image upgrade

iRule editor partition button does not work

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Related Content

Decoding the IPv4 address from the persistence cookie

Cookie-based DDoS protection

Cookie Tampering Protection using F5 Distributed Cloud Platform

8. SYN Cookie: Troubleshooting tcpdump

How to add Httponly and Secure attributes to HTTP cookies (for 11.5.x)