Forum Discussion

mr_skater99_640's avatar
mr_skater99_640
Icon for Nimbostratus rankNimbostratus
Mar 03, 2010

Stripping Cookies

We have an off the shelf product that sets to many cookies and cookies on all domains configured in the product (these aren't needed). We're trying to tidy some of this up and we've got some of it working,

 

 

when HTTP_RESPONSE {

 

if { [HTTP::header "server"] equals "blah" } {

 

set cookies [HTTP::cookie names]

 

foreach aCookie $cookies {

 

if {[string tolower $aCookie] equals "offending_cookie"} {

 

HTTP::cookie remove $aCookie

 

}

 

}

 

}

 

}

 

 

This strips all "offending_cookie". What we need to do now is strip cookies that are for anything other than the domain the request was made on.

 

 

I tried the following to see if i could remove a cookie with an offending domain (my intention was once this was working to then make it dynamic to pick up the domain the request was made on and go that way).

 

 

when HTTP_RESPONSE {

 

if { [HTTP::header "server"] equals "blah" } {

 

set cookies [HTTP::cookie names]

 

foreach aCookie $cookies {

 

set cookieDomain [HTTP::cookie domain $aCookie]

 

if {[string tolower $aCookie] equals "offending_cookie"} {

 

HTTP::cookie remove $aCookie

 

} elseif {$cookieDomain contains ".bad.domain.com"} {

 

HTTP::cookie remove $aCookie

 

}

 

}

 

}

 

}

 

 

But this doesn't work - any pointers????

 

 

Cheers.
application delivery
dev
devops
iRules

12 Replies

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 03, 2010
    The rule looks like it should work. Can you try this version with debug logging to see what's being matched for each cookie? 

     
 when HTTP_RESPONSE { 
  
    if { [HTTP::header "server"] equals "blah" } { 
  
       log local0. "Checking cookies: [HTTP::cookie names]" 
  
       foreach aCookie [HTTP::cookie names] { 
  
          log local0. "Checking cookie: $aCookie, with domain: [HTTP::cookie domain $aCookie]" 
  
  if {[string tolower $aCookie] equals "offending_cookie"} { 
  
     log local0. "Removing cookie: $aCookie in name check" 
             HTTP::cookie remove $aCookie 
  
  } elseif {[HTTP::cookie domain $aCookie] contains ".bad.domain.com"} { 
  
     log local0. "Removing cookie: $aCookie in domain check" 
             HTTP::cookie remove $aCookie 
  
  } 
       } 
    } 
 }

    Once you're done testing, you can comment out or remove the debug logging.

    Aaron
  • mr_skater99_640's avatar
    mr_skater99_640
    Icon for Nimbostratus rankNimbostratus
    Mar 24, 2010
    Hey Hoolio,

    Thanks very much for your reply - i had to wait until we got a Virtual BigIp up before i could do any real testing...

    This is the rule i put in: 

    when HTTP_RESPONSE {  
    if { [HTTP::header "server"] equals "daui" }  {  
      foreach aCookie [HTTP::cookie names] {  
        if {[string tolower $aCookie] equals "amlbcookie"} {  
          HTTP::cookie remove $aCookie  
        } elseif {[HTTP::cookie domain $aCookie] contains ".exttest.lab"} {  
          HTTP::cookie remove $aCookie  
        } elseif {[HTTP::cookie domain $aCookie] contains ".xint.xcorp.xsun"} {  
          HTTP::cookie remove $aCookie  
        }  
      }  
    }   
  }

    Here's what the logs show: 

    Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookies: JSESSIONID amlbcookie amlbcookie amlbcookie amlbcookie AMDistAuthCookie AMDistAuthCookie AMDistAuthCookie AMDistAuthCookie amlbcookie amlbcookie amlbcookie amlbcookie BIGipServerpool-amdaui   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: JSESSIONID, with domain:   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .gio.com.au   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .exttest.lab   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .vero.apps.anznb.co.nz   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .xint.xcorp.xsun   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: AMDistAuthCookie, with domain: .gio.com.au   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: AMDistAuthCookie, with domain: .gio.com.au   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: AMDistAuthCookie, with domain: .gio.com.au   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: AMDistAuthCookie, with domain: .gio.com.au   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .gio.com.au   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .exttest.lab   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .vero.apps.anznb.co.nz   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: amlbcookie, with domain: .xint.xcorp.xsun   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Removing cookie: amlbcookie in name check   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookie: BIGipServerpool-amdaui, with domain:   
  Wed Mar 24 13:43:59 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookies:   
  Wed Mar 24 13:44:01 EST 2010 local/tmm info tmm[2595] Rule aimtest-uri_Irule : Checking cookies:

    So the amlbcookie dissappears no worries - the problem is this;

    The F5 shows 4 AMDistAuthCookie's with the domain as .gio.com.au and so doesn;t drop them, yet in the browser i see: 

    Set-CookieAMDistAuthCookie=http://samru3.exttest.lab:80/distAuth/UI/Login; Domain=.gio.com.au; Path=/  
  Set-CookieAMDistAuthCookie=http://samru3.exttest.lab:80/distAuth/UI/Login; Domain=.exttest.lab; Path=/  
  Set-CookieAMDistAuthCookie=http://samru3.exttest.lab:80/distAuth/UI/Login; Domain=.vero.apps.anznb.co.nz; Path=/  
  Set-CookieAMDistAuthCookie=http://samru3.exttest.lab:80/distAuth/UI/Login; Domain=.xint.xcorp.xsun; Path=/

    Any ideas????
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Mar 24, 2010
    I'd guess the issue is with handling multiple instances of the same cookie names with the HTTP::cookie domain command. Short of saving the cookie values and then removing each cookie one by one, I'm not sure how you could handle this.

     

     

    Maybe F5 Support would have ideas on this?

     

     

    Aaron
  • Craig_Jackson_2's avatar
    Craig_Jackson_2
    Icon for Nimbostratus rankNimbostratus
    Oct 25, 2012
    I used this code to strip a cookie that was causing us problems, and I encountered a problem with the code.

     

     

    The problem occurred when we received a cookie whose name included a quote. In that case, "foreach a_cookie [HTTP::cookie names]" produced errors something like these:

     

     

    list element in quotes followed by "customerSurvey":"NA"" instead of space

     

    list element in quotes followed by ":" instead of space

     

    unmatched open quote in list

     

     

    Unfortunately, it doesn't log the offending list element or list, but I think one of the cookie names was something like '"foo":'. (foo in quotes, with a colon after the close quote.

     

     

    As best as I can tell, quotes aren't legal in cookie names, which obey the rule for HTTP tokens. However, that doesn't mean that they can't occur in a Cookie: header. I created them myself using Fiddlerscript.

     

     

    However, I'm really not quite sure why the list is being scanned for syntax in the line "foreach a_cookie [HTTP::cookie names]". It seems like [HTTP::cookie names] would be treated as a single syntactic item and would not be further expanded.

     

     

    Is this an F5 bug?

     

     

  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Oct 26, 2012
    Hi Craig,

     

     

    I think this is a bug in the app or client that is using a double quote in the cookie name :). Can you try stripping out the double quotes before using the value in foreach?

     

     

    foreach a_cookie [string map [list {"} {}] [HTTP::cookie names]

     

     

    and then remove the double quotes from your comparisons?

     

     

    Aaron
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Oct 26, 2012
    just wondering if quote really causes a problem. also, if quote is interpreted, how can we get cookie value of the cookie name which has quote e.g. foo. 

    [root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_RESPONSE {
   log local0. "\[HTTP::cookie names\]: [HTTP::cookie names]"
   foreach a_cookie [HTTP::cookie names] {
      log local0. "\$a_cookie: $a_cookie=[HTTP::cookie $a_cookie] (\$a_cookie=\[HTTP::cookie $a_cookie\])"
   }
}
}

 on client

[root@centos11 ~] curl -I http://172.28.19.79
HTTP/1.1 200 OK
Date: Fri, 26 Oct 2012 08:00:42 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Set-Cookie: "foo"=123456; path=/
Set-Cookie: bar=abcdef; path=/
Connection: close
Content-Type: text/html; charset=UTF-8

 log on bigip

[root@ve10:Active] config  tail -f /var/log/ltm
Oct 26 15:43:18 local/tmm info tmm[7926]: Rule myrule : [HTTP::cookie names]: "foo" bar
Oct 26 15:43:18 local/tmm info tmm[7926]: Rule myrule : $a_cookie: foo= ($a_cookie=[HTTP::cookie foo])
Oct 26 15:43:18 local/tmm info tmm[7926]: Rule myrule : $a_cookie: bar=abcdef ($a_cookie=[HTTP::cookie bar])
    • Robert_47833's avatar
      Robert_47833
      Icon for Altostratus rankAltostratus
      Dec 04, 2013
      not double quotes. but more than double quotes try this: "test"xyz or "test"p"xyz" or “test”xyz" ,then u will see the error
  • nitass_89166's avatar
    nitass_89166
    Icon for Noctilucent rankNoctilucent
    Oct 26, 2012
    just wondering if quote really causes a problem. also, if quote is interpreted, how can we get cookie value of the cookie name which has quote e.g. foo. 

    [root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_RESPONSE {
   log local0. "\[HTTP::cookie names\]: [HTTP::cookie names]"
   foreach a_cookie [HTTP::cookie names] {
      log local0. "\$a_cookie: $a_cookie=[HTTP::cookie $a_cookie] (\$a_cookie=\[HTTP::cookie $a_cookie\])"
   }
}
}

 on client

[root@centos11 ~] curl -I http://172.28.19.79
HTTP/1.1 200 OK
Date: Fri, 26 Oct 2012 08:00:42 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Set-Cookie: "foo"=123456; path=/
Set-Cookie: bar=abcdef; path=/
Connection: close
Content-Type: text/html; charset=UTF-8

 log on bigip

[root@ve10:Active] config  tail -f /var/log/ltm
Oct 26 15:43:18 local/tmm info tmm[7926]: Rule myrule : [HTTP::cookie names]: "foo" bar
Oct 26 15:43:18 local/tmm info tmm[7926]: Rule myrule : $a_cookie: foo= ($a_cookie=[HTTP::cookie foo])
Oct 26 15:43:18 local/tmm info tmm[7926]: Rule myrule : $a_cookie: bar=abcdef ($a_cookie=[HTTP::cookie bar])
    • Robert_47833's avatar
      Robert_47833
      Icon for Altostratus rankAltostratus
      Dec 04, 2013
      not double quotes. but more than double quotes try this: "test"xyz or "test"p"xyz" or “test”xyz" ,then u will see the error
  • Craig_Jackson_2's avatar
    Craig_Jackson_2
    Icon for Nimbostratus rankNimbostratus
    Nov 01, 2012
    I did end up using regsub to strip the quotes from the string returned by [HTTP::cookie names] before using it as a list.

     

     

    The difference between my test and yours is that my cookie name had text after the quote. I tested with

     

     

    Cookie: "foo":=bar

     

     

    However, it seems like the list may be being interpreted one too many times. Maybe I'm misunderstanding Tcl, but I think the results of a list command should be able to be used as a list even though the list has invalid members.

     

     

    Whether or not that's a valid cookie name is irrelevant. We need to anticipate that invalid things will be transmitted from clients.

     

     

    Note that I don't know exactly what the invalid list entry is, nor the client IP, because neither is being logged. I know I could probably find both pieces of information using catch, but I really don't want to release debugging code on a production box. :-)