removing part of a cookie

Do you want to remove the HttpOnly option on every response for every cookie? Which version of LTM are you running?

Here is an example iRule you can use for 9.4+ to remove HttpOnly from every response cookie:

 
 when HTTP_RESPONSE { 
  
     Check if there are any Set-Cookie headers 
    if {[HTTP::header exists "Set-Cookie"]}{ 
  
        Loop through each Set-Cookie header remove the HttpOnly option 
       foreach a_set_cookie_value [HTTP::header values "Set-Cookie"] { 
  
          log local0. "[IP::client_addr]:[TCP::client_port]: Current Set-Cookie value: [HTTP::header value $a_set_cookie_value], \ 
             updated value [string map -nocase {HttpOnly ""} [HTTP::header value $a_set_cookie_value]]" 
          HTTP::header replace Set-Cookie [string map -nocase {HttpOnly ""} [HTTP::header value $a_set_cookie_value]] 
       } 
    } 
 } 
 

I haven't tested this, so if you try it and run into issues, check the /var/log/ltm log file for the original and updated Set-Cookie header values. You can also use a browser plugin like LiveHttpHeaders for Firefox or Fiddler for IE to view the headers sent to the client.

If you run into issues, please reply with the log output.

Thanks,

Aaron

Hallo Aaron, thanks for your message.

 

 

Yes, I want to remove the HttpOnly option on every response for every cookie.

 

But version is only BIG-IP 9.1.2 Build 40.2. Is it necessary to make an update?

 

It's not so easy, because it's in production.

In < 9.4.x, you cannot easily get a list of the header values for multiple instances of the same header. I think you'd have to iteratively save each Set-Cookie header value, modify it, and remove it. Once all the cookie headers have been removed, you could add back the modified versions.

 

 

Is there any chance of modifying the application to not set this cookie option?

 

 

I'll see about testing this to confirm you'd need to remove them and then come up with an example. Irrespective of this, you should consider upgrading at least to the latest maintenance release, 9.3.x now, or once 9.5 is released.

 

 

Aaron

There is no chance of modifying the application at this time. It's a bug in application software and it will be resolved next time. Until then, we want a workaround solution create.

 

You are right, an upgrade is necessary and I will plan it.

 

 

Thanks

 

Hajo

I tested the following rule, but it won't work as 'HTTP::header remove Set-Cookie' removes all Set-Cookie headers (not just the current one). 'HTTP::header value Set-Cookie' will only return the last header with that name.

 
 when HTTP_RESPONSE { 
  
  Insert some test response Set-Cookie headers 
 HTTP::header insert Set-Cookie {infoview_userCultureKey=useBrowserLocale; expires=Tue, 29-Aug-2017 01:46:00 GMT; path=/; HttpOnly} 
 HTTP::header insert Set-Cookie {InfoViewSystemName=; expires=Fri, 29-Aug-2008 13:46:01 GMT; path=/; HttpOnly} 
 HTTP::header insert Set-Cookie {InfoViewUserName=YQBkAG0AaQBuAGkAcwB0AHIAYQB0AG8AcgA=; expires=Fri, 29-Aug-2008 13:46:01 GMT; path=/; HttpOnly} 
 HTTP::header insert Set-Cookie {InfoViewAuth=Enterprise; expires=Fri, 29-Aug-2008 13:46:01 GMT; path=/; HttpOnly} 
  
 log local0. "Set-Cookie header count: [HTTP::header count "Set-Cookie"]" 
  Loop through the Set-Cookie headers and save a copy of each value in an array without the HttpOnly option 
 for {set i 0} {$i < [HTTP::header count "Set-Cookie"]} {incr i}{ 
 log local0. "Current Set-Cookie $i: [HTTP::header value Set-Cookie]" 
 set set_cookies($i) [string map -nocase {{; HttpOnly} "" HttpOnly ""} [HTTP::header value "Set-Cookie"]] 
 HTTP::header remove "Set-Cookie" 
 } 
  
  Loop through the array and re-insert the headers 
 for {set j 0} {$j < [array size set_cookies]} {incr j}{ 
 HTTP::header insert "Set-Cookie" $set_cookies($j) 
 log local0. "Current Set-Cookie $j: $set_cookies($j)" 
 } 
 unset set_cookies 
 } 
 

Log output:

: Set-Cookie header count: 3

: Current Set-Cookie 0: InfoViewAuth=Enterprise; expires=Fri, 29-Aug-2008 13:46:01 GMT; path=/; HttpOnly

: Current Set-Cookie 0: InfoViewAuth=Enterprise; expires=Fri, 29-Aug-2008 13:46:01 GMT; path=/

If 'HTTP::header remove HEADER_NAME' in 9.1.2 also removes all headers of the same name, I'm not sure there is a way to loop though the Set-Cookie headers and modify them.

You could possibly collect the TCP payload on responses and replace HttpOnly with nothing. It would be a lot of overhead though just to modify the headers.

Aaron

thank you for your work. I think in this case it's best if I have an upgrade to 9.4+ and then use the first option.

 

 

Hajo