HTTP::cookie - How can I handle cookies with duplicate names but diffrent domain value?

Question

I'm trying to set HttpOnly value for a given cookie name/domain combination (BigIP v9.4). The backend servers (OpenSSO) creates a authentication cookie that does not have this value set.&nbsp;
&nbsp;My problem is that OpenSSO sends out one cookie for each configured domain with the same cookie name but diffrent domain value. I've created an iRule to set the HttpOnly value for a given cookie name, but it does not work with duplicate cookie names. With duplicate cookie names the command seem to give back only the first match.&nbsp;
&nbsp;It seems like the HTTP::cookie value command is missing a domain parameter... Any logic leeding to setting the HttpOnly value for all cookies with name iPlanetDirectoryPro or a specific iPlanetDirectoryPro cookie would be acceptable.&nbsp;
&nbsp;iRule:
&nbsp;when HTTP_RESPONSE {
&nbsp;  set OPENSSO_COOKIE [HTTP::cookie value iPlanetDirectoryPro]
&nbsp;  if { $OPENSSO_COOKIE ne "" } {
&nbsp;     log local0. "Detected OpenSSO iPlanetDirectoryPro cookie with value $OPENSSO_
&nbsp;COOKIE"
&nbsp;     log local0. "Secure parameter for OpenSSO iPlanetDirectoryPro cookie is [HTTP
&nbsp;::cookie secure iPlanetDirectoryPro]"
&nbsp;     HTTP::cookie value iPlanetDirectoryPro "$OPENSSO_COOKIE; HttpOnly"
&nbsp;     log local0. "Setting new value for OpenSSO iPlanetDirectoryPro cookie, new va
&nbsp;lue is [HTTP::cookie value iPlanetDirectoryPro]"
&nbsp;     }
&nbsp;}&nbsp;
&nbsp;I'm thankfull for any help regarding this issue.&nbsp;
&nbsp;Best regards
&nbsp;Terje Gravvold&nbsp;

hooleylist · Answer

Hi Terje, 
&nbsp;  
&nbsp; I'd open a case on this to make a feature request for your scenario as I don't think there is a simple way to do this with existing HTTP::cookie commands for multiple cookies with the same name.  You could also run into this with cookie paths for example. 
&nbsp;  
&nbsp; In the meantime, you could try modifying the Set-Cookie header(s) instead.  You could use HTTP::header values Set-Cookie in 9.4.0 and higher to retrieve the values for each Set-Cookie header and then set the HttpOnly flag. 
&nbsp;  
&nbsp; Aaron

hooleylist · Answer

Hi Terje,  
&nbsp;  
&nbsp; If you do open a case on this, you can reference BZ368616 which notes a similar feature request. 
&nbsp;  
&nbsp; Aaron

sashi_81625 · Answer

if you dont mind setting HttpOnly flag to all cookies then u can use this 
&nbsp;  
&nbsp;   
&nbsp;  
&nbsp; when HTTP_RESPONSE { 
&nbsp;    HTTP::header replace Set-Cookie [string map [list path "HttpOnly; path"] [HTTP::header Set-Cookie]] 
&nbsp; } 
&nbsp;  
&nbsp;

hooleylist · Answer

Nice idea Sashi.  You would want to handle the possibility multiple Set-Cookie response headers with something like:

when HTTP_RESPONSE {
   set set_cookies [string map [list path "HttpOnly; path"] [HTTP::header values Set-Cookie]]
   HTTP::header remove Set-Cookies
   HTTP::header insert Set-Cookies $set_cookies
}

Aaron

hooleylist · Answer

Actually, HTTP::header values returns the headers in a list.  So you might need to join them with a semi-colon...  here's another untested stab 🙂

when HTTP_RESPONSE {
   set set_cookies [string map [list path "HttpOnly; path"] [HTTP::header values Set-Cookie]]
   HTTP::header remove Set-Cookies
   HTTP::header insert Set-Cookies [join $set_cookies ";"]
}

Aaron

Forum Discussion

HTTP::cookie - How can I handle cookies with duplicate names but diffrent domain value?

6 Replies

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

iRule to take cookie from HTTP Response into HTTP Request via table

UDP TCP Packet Duplication

Change cookie domain in HTTP::respond

Duplicating BIG-IP Objects

Lightboard Lessons: HTTP Cookie SameSite Attribute