Forum Discussion

ichalis_37981's avatar
ichalis_37981
Historic F5 Account
Dec 20, 2011

Setting Cookie "HttpOnly" flag and Expires on Redirect and response

Hi all,

 

 

I ave a requirement to both set a cookie on redirect and insert a cookie on response. (at different points within my rule logic).

 

 

 

Both cookies will have the same content and need to have an expiry of 1hour and have the HttpOnly flag set.

 

 

 

I have had an inordinate amount of trouble getting this to work on 10.2. It seems its easy to set a cookie on response:

 

 

 

HTTP::cookie insert name $static::COOKIE_NAME value $COOKIE_VALUE path "/" domain $static::COOKIE_DOMAIN

 

HTTP::cookie expires $static::COOKIE_NAME 600 relative

 

 

 

 

But i also need to set the HttpOnly flag which (it seems) is impossible using HTTP::cookie in v10.x.??

 

 

 

Also, when i redirect, i need to do the same thing. Here, setting HttpOnly is easy, but now I am having problems trying to set the Expiry on the cookie!:

 

 

 

set COOKIE [format "%s=%s; path=/; domain=%s; Expires=%s HttpOnly" $COOKIE_VALUE $static::COOKIE_DOMAIN $static::COOKIE_EXPIRES]

 

HTTP::respond 302 Location "http://$DETECTED_DOMAIN" "Set-Cookie" $COOKIE

 

 

 

 

I find the browser doesn't return the cookie if the Expires flag is set.

 

 

 

Any idea whats going wrong here? Is there a simpler way to set these cookies that i'm unaware of?

 

 

 

Any help would be much appreciated!

 

Cheers..

 

 

 

application delivery
dev
devops
iRules

4 Replies

Sort By
  • George_Watkins_'s avatar
    George_Watkins_
    Historic F5 Account
    Dec 20, 2011
    Can you give this a try?

    when HTTP_REQUEST {

    1 year = 31536000 seconds

    set cookie_expire 31536000

    set cookie_expire_date [clock format [expr [clock seconds] + $cookie_expire] -format "%a, %d-%b-%Y %H:%M:%S GMT" -gmt true]

    set cookie_domain .test.domain.local

    set cookie_name my_cookie

    set cookie_value 12345

    set cookie [format "%s=%s; path=/; domain=%s; expires=%s; HttpOnly" $cookie_name $cookie_value $cookie_domain $cookie_expire_date]

    HTTP::respond 302 Location "http://www.google.com" "Set-Cookie" $cookie

    }

    This works for me. I made a few tweaks, but you were 95% of the way there. Hope this helps,

    George

  • ichalis_37981's avatar
    ichalis_37981
    Historic F5 Account
    Dec 20, 2011
    Fantastic!! Thanks George for your reply, this fixed the first half of my problem.. progress!!!

     

     

    Now i just need to figure out how to set the HttpOnly flag when not doing a redirect.... :)

     

     

  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Dec 20, 2011
    have you tried HTTP::header insert? 

    [root@ve1023:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve1023:Active] config  b rule myrule list
rule myrule {
   when HTTP_RESPONSE {
         1 year = 31536000 seconds
        set cookie_expire 31536000
        set cookie_expire_date [clock format [expr [clock seconds] + $cookie_expire] -format "%a, %d-%b-%Y %H:%M:%S GMT" -gmt true]

        set cookie_domain .test.domain.local
        set cookie_name my_cookie
        set cookie_value 12345

        set cookie [format "%s=%s; path=/; domain=%s; expires=%s; HttpOnly" $cookie_name $cookie_value $cookie_domain $cookie_expire_date]
        HTTP::header insert "Set-Cookie" $cookie
}
}

[root@ve1023:Active] config  curl -I http://172.28.19.79
HTTP/1.1 200 OK
Date: Tue, 20 Dec 2011 17:50:56 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Connection: close
Content-Type: text/html; charset=UTF-8
Set-Cookie: my_cookie=12345; path=/; domain=.test.domain.local; expires=Wed, 19-Dec-2012 17:50:42 GMT; HttpOnly
  • ichalis_37981's avatar
    ichalis_37981
    Historic F5 Account
    Dec 20, 2011
    Thanks guys!! All working! I guess i was hoping there was a cleaner way that this could be done..