iRule needed to clear specific cookies from particular domain

Question

Recently we moved our peoplesoft system to a subdomain of our DNS space. So instead of all our VIPs being for example, prod.abc.com they are now prod.ps.abc.com&nbsp;
Peoplesoft uses a cookie for single-signon and some other features. The primary cookie is PS_TOKEN, but there are others as well.&nbsp;
This move, for the most part, was seamless. However we have a particular case generally involving Safari on mac where the browser can submit the old domain token (cookie), which will sometimes cause the browser to "loop" the guest authentication page hundreds, or thousands of times a minute. &nbsp;
We have demonstrated that clearing the old domain cookies will solve the issue. We have demonstrated this using a static webpage with some javascript that is hosted on an address on the old domain (abc.com). If a browser with the "old" cookie visits our page in between, then it is cleared and works. This is a rather manual solution, and redirecting everyone there before logging in would seem to be one solution - but that will not work as we have some deep links that would be broken in that case.&nbsp;
What I desire (and have tried to create a few ways) is an iRule to:&nbsp;
Check for the existence of the cookie PS_TOKEN (and possibly others)Check that the cookie domain of that cookie(s) is .abc.comIf so, delete it (or if necessary set it's expiration to -1, which is what our js had to do)
Then pass the request on through to wherever it was headed to start with. Ideally using the pool already defined for the particular virtual server.&nbsp;
I haven't been able to get even the basics to seem to work. So I dropped back to seeing if the cookie is even being read by the F5, so here is where I sit now:&nbsp;
when HTTP_REQUEST {  &nbsp;
    if {[HTTP::cookie domain "PS_TOKEN"] contains ".abc.com"} {      &nbsp;
        HTTP::respond 200 content {found abccom cookie}
    }
    else
    {HTTP::respond 200 content {did not find cookie}
    }   &nbsp;
}&nbsp;
This never finds the cookie (at least it doesn't tell me it did).&nbsp;
Any help and direction is most appreciated. &nbsp;

aj_01_135899 · Answer

What about a basic cookie remove, if only as a start to troubleshooting?
when HTTP_REQUEST {
   if {[HTTP::cookie exists "PS_TOKEN"] {
        if {HTTP::cookie domain "PS_TOKEN" contains "abc.com"}{
            HTTP::cookie remove "PS_TOKEN"
        }
   }
}

jeff_brinkerho1 · Answer

I tried something very similar based on an example I found. Unfortunately it does not appear to remove the cookie (from the browser side). Watching with the dev console in chrome or IE, the cookie is still there with.&nbsp;
Oh, and "contains" for the evaluation won't work - as we moved to a subdomain. So it has to be "equals". Did I screw something up with this try?:&nbsp;
when HTTP_REQUEST {
   Check to be sure the cookie in question exists.&nbsp;
  if { [info exists [HTTP::cookie PS_TOKEN]] } {&nbsp;
     Now check to see if the domain is .abc.com
    set cookieDomain [HTTP::cookie domain "PS_TOKEN"]
    if { $cookieDomain == ".abc.com" } {
      if so, delete the cookies   &nbsp;
        HTTP::cookie remove PS_TOKEN
        HTTP::cookie remove PS_TOKENEXPIRE
        HTTP::cookie remove PS_LOGINLIST
        HTTP::cookie remove ExpirePage
        HTTP::cookie remove SignOnDefault
        HTTP::cookie remove pgltHPReload
    }
  }
HTTP::redirect [HTTP::host][HTTP::uri]
}&nbsp;

jeff_brinkerho1 · Answer

How do I post "code" on here, I cant seem to find the correct way....&nbsp;  when HTTP_REQUEST {
   Check to be sure the cookie in question exists.  
  if { [info exists [HTTP::cookie PS_TOKEN]] } {  
     Now check to see if the domain is .syr.edu
    set cookieDomain [HTTP::cookie domain "PS_TOKEN"]
    if { $cookieDomain == ".syr.edu" } {
      if so, delete the cookies     
        HTTP::cookie remove PS_TOKEN
        HTTP::cookie remove PS_TOKENEXPIRE
        HTTP::cookie remove PS_LOGINLIST
        HTTP::cookie remove ExpirePage
        HTTP::cookie remove SignOnDefault
        HTTP::cookie remove pgltHPReload
    }
  }
HTTP::redirect https://ptl9unit.ps.syr.edu[HTTP::uri]
}

jeff_brinkerho1 · Answer

Ahh got it...&nbsp;

aj_01_135899 · Answer

What did it end up being?  Digging further it looks like you'd have to do this on the HTTP_RESPONSE as well?

Forum Discussion

iRule needed to clear specific cookies from particular domain

8 Replies

Recent Discussions

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

Cookie-based DDoS protection

Decoding the IPv4 address from the persistence cookie

2. SYN Cookie: Operation

1. SYN Cookie: Intro

Cookie Tampering Protection using F5 Distributed Cloud Platform