Change default cookie insert name
Is there any possibility to change the default cookie name (BIGipServer) for a cookie insert persistence profile? We want to use a standard cookie insert profile across several virtual servers, but avoiding the name "BIGipServer". But we still need the "" as a dynamic variable. Is there some variable syntax available for the cookie name field or can we modify the default "BIGipServer" string? Or is this somewhere hardcoded in the OS? Thank you! Regards Stefan 🙂588Views1like5CommentsSecure Cookie when the VIP is requested by IP (not URL)
Hello. I have a VIP config where the pool member is the one handling the cookie to the client. The pool member has a limitation when the client access the VIP via IP (not URL), the cookie is served not secured. I created this iRule which one of the side effects is an increased in the CPU utilization. when HTTP_RESPONSE { set cookies [HTTP::cookie names] foreach aCookie $cookies { HTTP::cookie secure $aCookie enable } } Is this the most efficient way? Is there a way to use a policy vs an irule? Thank you J349Views0likes2Commentsirule to remove all cookies
Hello, we are testing an irule to remove all cookie from the client browser after an idle time, the cookie for TCP isn't what we are looking for rather than the actual cookie sent to the server. any suggestion on how to achieve this, if I inserted a cookie manually I want the irule to delete it after I refresh the page. we are testing this on BIG-IP LTM ?irule example : when HTTP_REQUEST { } when HTTP_RESPONSE { set cookieNames [HTTP::cookie names] #array of cookies foreach aCookie $cookieNames { #adding the cookies to the array in a varaible aCookie HTTP::cookie remove $aCookie #removing the virable } }848Views0likes1CommentLooking for Feedback/Efficiency on Cookie Removal
Background: We have a homegrown portal that users log in to and then launch applications from. This portal injects a ridiculous number of cookies into the client. One or more of these cookies prevent an application from working correctly. My iRule that I quickly made to 'fix' the issue is below. Since I cannot modify the response to expire the cookies I don't want since that will break other applications if they attempt to launch them, I have to scrub any of the cookies I don't want to get to this application on every incoming request. Question(s): 1) Aside from fixing the portal (I want to replace it with APM...we'll see) is there another avenue I should be looking at to fix this besides an iRule? 2) Can my iRule be made more efficient through using switch or data groups? I couldn't figure out how to do that since I don't know of a way to do 'not equal' or not 'starts_with' within switch or how to get the data group syntax to work. There are more cookies I have to allow than included here. I shortened it. when HTTP_REQUEST { set cookies [HTTP::cookie names] log local0. "Inbound cookies are $cookies" foreach cookie $cookies { if { !($cookie starts_with "f5" or $cookie starts_with "" or $cookie starts_with "") }{ HTTP::cookie remove $cookie log local0. "Removing cookie $cookie" } } }318Views0likes2CommentsFixing Incomplete SAML SP Initiated Login
This is not really a question, because I already know the answer. I spent a fair amount of time and received awesome help from a few people on this forum. I wanted to post this here so others can avoid the same headache. Specific Issue: Service Provider sends what they call a "Partial SP Initiated Authentication." What really happens is that they perform a 302 Location redirect and have both SAMLRequest and RelayState parameters in the URL. However, SAMLRequest= is blank. They have neglected to deflate, 64-bit encode, and URL encode a SAML Request in their redirect. Fixing Missing SAML Request: Since the Service Provider is not sending a SAMLRequest, the F5 has to trigger an IdP initiated login, and this can be done with an iRule attached to the webtop Virtual Server. However, this will only get you connected to the landing page and does not take into account the RelayState parameter sent in the 302 Location redirect. Fixing the RelayState: The way this was accomplished was by creating back-to-back virtual servers, using cookies to pass the appropriate RelayState URI, and a Stream profile to modify the SAML Response on its way back to the user's web browser. Front-end Virtual Server: The front-end virtual server has 2 responsibilities. The first is to forward all traffic through from the user's web browser on to the webtop virtual server. This is a simple iRule. The second responsibility is to use a Stream profile to modify the SAML Response and append the missing RelayState information appropriately. Back-end Virtual Server: The back-end virtual server is for hosting the Access Policy and an iRule that catches the request, initiates an unsolicited IdP SAML Response, and passes the RelayState back to the front-end virtual server via a http cookie. Note: I took a shortcut on setting up the RelayState form element by pre-populating the SP connector with an "/" in the RelayState field. Front-end iRule to redirect all traffic to back-end virtual server: when HTTP_REQUEST { virtual /Common/VS_Portal log local0. "Forwarded to Portal" } Back-end iRule to initiate SAML Response and pass RelayState via cookie: when ACCESS_POLICY_COMPLETED { if { [string tolower [ACCESS::session data get session.server.landinguri]] contains "apps" } { if { [ACCESS::session data get session.server.landinguri] == "/saml/idp/profile/redirectorpost/sso" } { log local0. "SP initiated SAML detected, not sending redirect" } else { set relaystatevalue "[string map {"%2f" "/" "%3f" "?" "%3d" "="}[URI::query [ACCESS::session data get session.server.landinguri] "RelayState"]]" ACCESS::respond 302 Location "https://go.domain.com/saml/idp/res?id=/Common/SAML_APP" log local0. "IDP initiated SAML detected, sending redirect [URI::query [ACCESS::session data get session.server.landinguri] "RelayState"]" HTTP::cookie insert name "RelayState" value $relaystatevalue domain ".domain.com" return } } ` } **Front-end iRule to modify return traffic SAML Response and modify RelayState:** when HTTP_REQUEST { `set relaystatesetter 0 set relaystatevalue 0 set relaystateexists 0 if {[HTTP::cookie exists "RelayState"]}{ set relaystateexists 1 set relaystatevalue "[HTTP::cookie RelayState]" } log local0. "iRule Logger - HTTP_REQUEST Starting hostname=[HTTP::host];uri=[HTTP::uri]" if {[HTTP::uri] contains "RelayState"}{ log local0. "iRule Logger - HTTP_REQUEST RelayState Store Cookie hostname=[HTTP::host];uri=[HTTP::uri]" set relaystatesetter 1 set relaystatevalue "[string map {"%2f" "/" "%3f" "?" "%3d" "="}[URI::query [HTTP::uri] RelayState]]" log local0. "iRule Logger - RelayState is $relaystatevalue;relaystatesetter=$relaystatesetter" HTTP::cookie insert name "RelayState" value $relaystatevalue domain ".domain.com" } ` } when HTTP_RESPONSE { ` if {$relaystatesetter==1}{ HTTP::cookie insert name "RelayState" value $relaystatevalue domain ".domain.com" } log local0. "iRule Logger - HTTP_RESPONSE Triggered - relaystate=$relaystatevalue" if {$relaystateexists==1}{ log local0. "iRule Logger - HTTP_RESPONSE Triggered - relaystateexists=$relaystateexists" STREAM::expression "@@@" STREAM::enable } }715Views0likes1CommentSaml token convert to jwt
Hello, I create a iRule for convert saml token to JWT (json web token). It works well but I get a signatur error. I try many option and formats. But nothing works. I'm shure you can help me easily. I have creat a working access Profile with saml. Bigip is SP and an external IdP. Here my iRule. when ACCESS_ACL_ALLOWED { set hamacsha256 secret set secret_key "secret" get data from saml Session (APM->Manage Sessions-> Variables -> View) set user [ACCESS::session data get session.saml.last.nameIDValue] set sub [ACCESS::session data get session.saml.last.attr.name./EmployeeID] set nbf [ACCESS::session data get session.saml.last.validityNotBefore] set exp [ACCESS::session data get session.saml.last.validityNotOnOrAfter] set email [ACCESS::session data get session.saml.last.attr.name./identity/claims/emailaddress] set surname [ACCESS::session data get session.saml./Common/xyz_auth_ag.attr.name./identity/claims/surname] set givenname [ACCESS::session data get session.saml./Common/xyz_auth_ag.attr.name./identity/claims/givenname] set aud [ACCESS::session data get session.saml.last.assertionIssuer] set gpid [ACCESS::session data get session.saml.last.attr.name./GPID] Name of the cookie set cookie_name "xyz-JWT" set cookie header set cookie_header "[b64encode "{\r\n \"alg\": \"HS256\", \r\n \"typ\": \"JWT\"\r\n}"]" set cookie payload set cookie_payload "[b64encode "{\r\n \"user\": \"$user\",\r\n \"sub\": \"$sub\",\r\n \"nbf\": \"$nbf\",\r\n \"exp\": \"$exp\",\r\n \"email\": \"$email\",\r\n \"surname\": \"$surname\",\r\n \"givenname\": \"$givenname\",\r\n \"aud\": \"$aud\",\r\n \"gpid\": \"$gpid\"\r\n}"]" set cookie data for signatur set cookie_data [concat "[b64encode [URI::encode $cookie_header]].[b64encode [URI::encode $cookie_payload]]"] test some other version set cookie_data "[URI::encode [b64encode $cookie_header]]\".\"[URI::encode [b64encode $cookie_payload]]" set cookie_data "[URI::encode $cookie_header]\".\"[URI::encode $cookie_payload]]" set cookie_data $cookie_header"."$cookie_payload log local0. "cookie_data $cookie_data" create signatur set cookie_sig "[CRYPTO::sign -alg hmac-sha256 -key $secret_key $cookie_data]" convert signatur in some version set cookie_sig_b64 "[b64encode $cookie_sig]" set cookie_sig_b64_url "[URI::encode $cookie_sig_b64]" set cookie_sig_url_b64 "[b64encode $cookie_sig_url]" log local0. "sig_b64= $cookie_sig_b64" log local0. "sig_b64_url= $cookie_sig_b64_url" log local0. "sig_url_b64= $cookie_sig_url_b64" verify signatur if { [CRYPTO::verify -alg hmac-sha256 -key $secret_key -signature $cookie_sig $cookie_data] } { log local0. "Data verified" } create full JWT set cookie "$cookie_header.$cookie_payload.$cookie_sig_url_b64" HTTP::cookie insert name $cookie_name value $cookie log local0. "$cookie_name $cookie" } send to client when HTTP_RESPONSE { HTTP::cookie insert name $cookie_name value $cookie } If I verify the cookie with jwt.io (webseite). I get alway a signatur error. All other works. The json notation for signatur is HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) secret base64 encoded I think I have a mistake in format for cookie_data. In the version you can see some of my tests. How can help me? Cheers, NetSnoopy726Views0likes2CommentsiRule - Adding a cookie based on Geo-IP , without breaking everything
Hi all, First post on DevCentral, i've done a handful of iRules but not great at them. I have a case where we have a website with multiple language/country versions. I have been asked to be able to change a resource on the site based upon the clients US State. At the moment, we are just targeting Florida. The logic on the server side is setup and works, so if cookie "uslocation" has value "florida" the logo changes. The problem is, the logo wont change without me adding the cookie to the HTTP_RESPONSE And i suspect i'm not doing the HTTP_RESPONSE correctly, because it fails to load everything that isnt in the /usa/ path, and if the cookie isn't present, the connection is dropped. when HTTP_REQUEST { if { [string tolower [HTTP::host]] equals "mywebsite.com" && [HTTP::path] eq "/usa" }{ Parse the client IP from the header supplied set client_ip [HTTP::header value "X-Forwarded-For"] log local0. " Staging - XFF ... incoming connection from $client_ip " if { $client_ip eq "" }{ The header was empty/did not exist, so use the actual client IP log local0. "Staging - XFF Header was empty so using actual IP - $client_ip" set client_ip [IP::client_addr] } set state [string tolower [whereis $client_ip state]] log local0. " Staging - incoming connection from $client_ip detected state as $state" if { $state eq "florida" } { log local0. " Staging - .. $state.. " set cookie_insertion 1 HTTP::cookie insert name "uslocation" value $state path "/usa" domain "mywebsite.com" } log local0. "Cookies = [HTTP::cookie uslocation] " } else { pool POOL-STAGING-HTTP } } when HTTP_RESPONSE { if { $cookie_insertion > 0 }{ log local0. " RESPONSE - Adding cookie to response Staging - ... $state.. " HTTP::cookie insert name "uslocation" value $state path "/usa" domain "mywebsite.com" log local0. "RESPONSE - Cookies = [HTTP::cookie uslocation] " } } Any help would be hugely appreciated258Views0likes1CommentSimple WordPress login protection, using cookie insert
I'm trying to deny access to the default login page on our WordPress site, when going straight to the login page (/wp-login.php), by redirecting you to /access-denied. But if you know the "secret" page, https://[HTTP::host]/secretpage , then the iRule should put a cookie in your browser, then redirect you to the actual login page, and now allow you to login. Any suggestions on how this could be done? Tried something like this, but not getting the expected result: when HTTP_REQUEST { if {[string tolower [HTTP::path]] equals "/secretpage"} { HTTP::cookie insert name "SecretWP" value "1" HTTP::redirect https://[HTTP::host]/wp-login.php } if {[string tolower [HTTP::path]] contains "/wp-login.php" and (![HTTP::cookie exists "SecretWP"])} { HTTP::respond 200 content "Rejected! Cookie names: [HTTP::cookie names]" } } In the end I added a HTTP::respond 200 content, for HTTP::cookie names, for troubleshooting, but the cookie I tried to insert was not in the list. Made this iRule sort of based on an example I found on the F5 site, but most other example seems to always add the cookie insert when HTTP_RESPONSE, so I'm wondering if that's the problem? Can't do an insert when HTTP_REQUEST? / Per701Views0likes2CommentsRemoval Cookies on Client Browser
Hello I'm trying to erase a bunc of cookies which belongs to expired session. Cookies are sending by the servers (CyberArk) and they are session cookies. Here in this scenario the F5 is used as Auth provider with an APM policy along with the load balancing. The APM policy is in LTM+APM mode so there is no webtop, connectivity profile and advanced resource assaing agent. This is not a new deployment but after the upgrade of Cyberark software in pool members, this design started to act a bit weird. When predefined idle timeout expires on CyberArk, the consequent requests get an error message on client and client sees an empty white page. After claening every thing (Ctrl+Shift+Del or using incognito mode) on the browser the problem vanishes. According to Cyberark support, the client sends a token that is not valid anymore. We identified some cookies that look like carrying these tokens and we wrote an irule to tell the client for clean all those subjected cookies when an APM session started. Seems like the iRule sends all needed cleaning declarations to the client browser and we saw all those cookies removed from cookie store of browser. But somehow some of them (CA11111, CA22222 and CA66666) is still carrying old token informations. According to my google-fu, there is no special removing methods besides mine. Also, found no information about that whether need to specify all those attributes used at the set-cookie moment as well while removing them. I mean those "domain=", "path=", "secure" and other attributes sent by server along with cookie at the beginning. The cookies sent by server: Set-Cookie: CA33333=; path=/PasswordVault/; SameSite=Strict; secure; HttpOnly Set-Cookie: __AntiXsrfToken=; expires=Tue, 11-May-1993 08:57:48 GMT; path=/; secure; HttpOnly Set-Cookie: CA44444=64D55E4839F5ED0032A7D0A7863EB07336F49030; path=/PasswordVault/; SameSite=Strict; secure; HttpOnly Set-Cookie: CA11111=00000002531296421D1226B831C822BA3BEE6FD4245F97F9A49C4C416052B0EC975B1B0C00000000; path=/PasswordVault/; SameSite=Strict; secure; HttpOnly Set-Cookie: CA22222=A1AC061D681C256A9DDF259B64D55E4839F5ED0032A7D0A7863EB07336F49030; path=/PasswordVault/; SameSite=Strict; secure; HttpOnly Set-Cookie: CA55555=cyberark; path=/PasswordVault/; SameSite=Strict; secure Set-Cookie: CA66666=jjxH6-chSXEEGbEjXXl7gyZv8xtT1XfiWqaUz7FPTVqntHw0AfdtPowY5YM0TJv5RHhFJPgoN1Oly2AJzxicXX5RroibSQeh1b4Ua_PTbA3L4fjEVTin3TXQ0bK9PU-VO6koC5iPZ0tOehb8AijWe0zJKaPJ_2hbqIBjgxVsitpxv3VBgXxEFqYQ9If8sE4o2wYS00mu0gVjRZKS9KSVLrbZPDVve0PgNT2alYsAv8Ic1O3mfqkgEYuAuJMndKMxGmE-7ehbwZX373XionLWaq3Viz67yk6UUH8qYCKhf2gpSnkh5PO-u9_e2M5O8uYYEVpTcA4O50Q0IAeU_V4zsg2; path=/PasswordVault/; SameSite=None; secure Set-Cookie: 6a5a355a-0547-40ce-9770-fc22d1f3bbea=8096DBD1E9E9ECF050757DDD2538169332D568558048455B5EC4A9CCB22A74F285F74A13FFF1DAC916C7558EBB15FD0F5EE388C0200435FA4822BD64B5833B0F824A23313EDBDDF519B5170AC7F177FF8D85DF020BEDDD01767EE977A710D5DB3DD6FE3D8A7C0D26442CE3EA472FD456FE69930D39769576D155C488AB79BB08818D36C8253800517365B75AF827BBF6; path=/PasswordVault/; secure; HttpOnly; SameSite=Lax My iRule: when CLIENT_ACCEPTED { set status 0 ACCESS::restrict_irule_events disable } when ACCESS_SESSION_STARTED { set status 1 } when HTTP_RESPONSE_RELEASE { if { $status == 1 } { HTTP::header insert "Set-Cookie" "CA11111=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" HTTP::header insert "Set-Cookie" "CA22222=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" HTTP::header insert "Set-Cookie" "CA33333=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" HTTP::header insert "Set-Cookie" "CA44444=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" HTTP::header insert "Set-Cookie" "CA55555=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" HTTP::header insert "Set-Cookie" "CA66666=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" HTTP::header insert "Set-Cookie" "6a5a355a-0547-40ce-9770-fc22d1f3bbea=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" HTTP::header insert "Set-Cookie" "pam_persist=deleted;expires=Thu, 01-Jan-1970 00:00:01 GMT;path=/" } My questions are: Is there any specific requirement to delete a cookie or can i use above iRule to erase all of them? Should i specify all those attributes along with the cookies while deleting? Some of the above cookies send from server when a specific request made by client. While deleting them is there any specific rule/policy to follow? Like deleting the cookie at the request sent by client. I tried to use "HTTP::cookie remove" method but somehow i did not see any delete (Set-Cookie header) message coming from F5 for cookies. How "HTTP::cookie remove" method actually deletes a cookie? This is for the APM specialists. In a LTM+APM policy, is there any way to determine the moment of the session expiration happend and initiate a HTTP response for cookie clean message to the client? Thanks advance.Solved1.6KViews0likes4Comments