Masking cookie names from the server

Question

I have fighting sessionID cookies from two different applications. One uses a subdomain, the other uses the root domain. My work around idea is to hide the cookie using the root domain from the application that sets the subdomain cookie. These two application have two different virtual servers.
In order to try to implement this, I've created:
&nbsp;

when HTTP_REQUEST{
   if { [HTTP::cookie exists "sessionID"] and [HTTP::header "Cookie"] contains "sessionID" } {
       log local0. "Should be mangling streams"
      STREAM::disable
      STREAM::expression "@sessionID@HiddensessionID@"
      STREAM::enable
   }
}
&nbsp;
This just simply does nothing. Watching packets hit the server, "sessionID" is never re-written. However, I do end up with the logged message "Should be mangling streams".
Anyone know why this isn't working for me? It's important that I not delete any cookies, I just want to hide one when using a specific virtual server.

hooleylist · Answer

Hi, 
&nbsp;  
&nbsp; A stream profile applied to a VS with an HTTP profile will only affect the HTTP request and response payloads.  Cookies in the request are just name=value pairs.  The client won't include cookie properties that the server set like the path or domain. 
&nbsp;  
&nbsp; So can you differentiate between the cookies just based on the value?  If so, would you want to rename the "wrong" session cookie name?  Or would you just want to remove it from requests that are proxied to the pool?  You can remove a cookie using HTTP::cookie remove.  But I'm not sure how HTTP::cookie remove will handle two cookies with the same name.  It might remove the last cookie (or both!).  You could save the cookie value that you want, remove all cookies with that name and then insert the correct value again.  This assumes that you can determine the correct cookie value though. 
&nbsp;  
&nbsp; Aaron 
&nbsp;  &nbsp;

hooleylist · Answer

Actually if one or both cookies are set in responses through LTM, you could try to rename the cookie in the response and then name it back on subsequent requests (or remove it or do whatever else you want with it).  You could look for the cookie by name and path in the Set-Cookie headers, save the value, remove the "wrong" cookie and insert it with a new name and original value, path, etc. 
&nbsp;  
&nbsp; If this sounds like a workable solution for you, let me know and I'll test an example iRule. 
&nbsp;  
&nbsp; Aaron

istockchris_390 · Answer

Yes, it looks like you're ahead of us on working this out.&nbsp;
&nbsp;We can diferrentiate based on cookie value. So, we implemented that, but then realized that it didn't matter. The browser was only allowing one sessionID cookie to exist and it seemed like the sub.domain.com cookie wasn't getting set if it existed in .domain.com. So we could mask this cookies existence from the server, but the browser still wouldn't set it.&nbsp;
&nbsp;So what you described, a "cookie translation" if you will, seems like the only workable option.&nbsp;
&nbsp;I'll see what I'm able to make work. Thanks for the help.&nbsp;

hooleylist · Answer

I thought browsers should support multiple cookies with the same name if the domain and/or path is different.  
&nbsp;  
&nbsp; Regardless, the response cookie rewriting should work as well.  If you get stuck on how to do this in an iRule, can you post an anonymized copy of a response where both cookies are set?   
&nbsp;  
&nbsp; Thanks, Aaron

istockchris_390 · Answer

The following appears to work perfectly, if you just look at the logs. However, the application (obviously OWA in this case) isn't fooled. Because it's encrypted I can't use tcpdump to confirm the headers are correctly being set.
&nbsp;

when HTTP_REQUEST {
if { [HTTP::header exists "Cookie"] and [HTTP::header "Cookie"] contains "OWAsessionid" } {
log local0. "Trying to send cookie(s): [HTTP::header "Cookie"]"
set new_cookies [string map {OWAsessionid= sessionid=} [HTTP::header value "Cookie"]]
HTTP::header remove "Cookie"
HTTP::header insert "Cookie" $new_cookies
log local0. "Actually sent cookie(s): [HTTP::header "Cookie"]"
}
}

when HTTP_RESPONSE {
if { [HTTP::header exists "Set-Cookie"] and [HTTP::header "Set-Cookie"] contains "sessionid" } {
log local0. "Trying to set cookie: [HTTP::header value "Set-Cookie"]"
set new_cookies [string map {sessionid= OWAsessionid=} [HTTP::header value "Set-Cookie"]]
HTTP::header remove "Set-Cookie"
HTTP::header insert "Set-Cookie" $new_cookies
log local0. "Actually set: [HTTP::header value "Set-Cookie"]"
}

}

&nbsp;
The logging output from this rule:
Dec 9 15:53:23 tmm tmm[2524]: Rule CookieMask2 : Trying to set cookie: sessionid=78bb3b32-ec44-4d2f-a888-52bdd454c9f7; path=/; path=/
Dec 9 15:53:23 tmm tmm[2524]: Rule CookieMask2 : Actually set: OWAsessionid=78bb3b32-ec44-4d2f-a888-52bdd454c9f7; path=/; path=/
Dec 9 15:53:23 tmm tmm[2524]: Rule CookieMask2 : Trying to send cookie(s): BIGipServerPool_Exchange=2689860362.20480.0000; OutlookSession=aacc1677c2f84a18836f5eb3d560dcd1; PBack=0; OWAsessionid=78bb3b32-ec44-4d2f-a888-52bdd454c9f7
Dec 9 15:53:23 tmm tmm[2524]: Rule CookieMask2 : Actually sent cookie(s): BIGipServerPool_Exchange=2689860362.20480.0000; OutlookSession=aacc1677c2f84a18836f5eb3d560dcd1; PBack=0; sessionid=78bb3b32-ec44-4d2f-a888-52bdd454c9f7

Forum Discussion

Masking cookie names from the server

8 Replies

Recent Discussions

BIG-IP DNS: Check Status Of Multiple Monitors Against Pool Member

Open Redirection Mitigation

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

Related Content

Response port masking

Cookie-based DDoS protection

Decoding the IPv4 address from the persistence cookie

URI Masking

Re: SYN Cookie operation