iRule needed to clear specific cookies from particular domain
Recently we moved our peoplesoft system to a subdomain of our DNS space. So instead of all our VIPs being for example, prod.abc.com they are now prod.ps.abc.com
Peoplesoft uses a cookie for single-signon and some other features. The primary cookie is PS_TOKEN, but there are others as well.
This move, for the most part, was seamless. However we have a particular case generally involving Safari on mac where the browser can submit the old domain token (cookie), which will sometimes cause the browser to "loop" the guest authentication page hundreds, or thousands of times a minute.
We have demonstrated that clearing the old domain cookies will solve the issue. We have demonstrated this using a static webpage with some javascript that is hosted on an address on the old domain (abc.com). If a browser with the "old" cookie visits our page in between, then it is cleared and works. This is a rather manual solution, and redirecting everyone there before logging in would seem to be one solution - but that will not work as we have some deep links that would be broken in that case.
What I desire (and have tried to create a few ways) is an iRule to:
- Check for the existence of the cookie PS_TOKEN (and possibly others)
- Check that the cookie domain of that cookie(s) is .abc.com
- If so, delete it (or if necessary set it's expiration to -1, which is what our js had to do)
Then pass the request on through to wherever it was headed to start with. Ideally using the pool already defined for the particular virtual server.
I haven't been able to get even the basics to seem to work. So I dropped back to seeing if the cookie is even being read by the F5, so here is where I sit now:
when HTTP_REQUEST {
if {[HTTP::cookie domain "PS_TOKEN"] contains ".abc.com"} {
HTTP::respond 200 content {found abccom cookie} } else {HTTP::respond 200 content {did not find cookie} }
}
This never finds the cookie (at least it doesn't tell me it did).
Any help and direction is most appreciated.