Forum Discussion

Steve_Brown_882's avatar
Steve_Brown_882
Historic F5 Account
Feb 03, 2012

Rewriting cookies

Hey Guys,

 

I am working on an irule to rewrite cookies on a site with httponly and secure flags set but getting an error on the http only flag sometimes. The rule is below...and this is v11.1

 

 

when HTTP_RESPONSE {

 

set cookie_names [HTTP::cookie names]

 

if { $cookie_names ne "" } {

 

foreach cookie $cookie_names {

 

HTTP::cookie httponly $cookie enable

 

HTTP::cookie secure $cookie enable

 

log local0. "The cookie $cookie was found and attributes modified."

 

}

 

}

 

 

 

 

 

The error I am seeing in the logs is here...

 

 

TCL error: /Common/cookie_rewrite - Improper version (line 4) invoked from within "HTTP::cookie httponly $cookie enable" ("foreach" body line 2) invoked from within "foreach cookie $cookie_names { HTTP::cookie httponly $cookie enable HTTP::cookie secure $cookie enable ..."

 

 

 

 

When I comment out the HTTP::cookie httponly $cookie enable line everything works fine and I succesfully rewrite the secure attr.

 

 

Any ideas?
  • i got the same error. anyway, may we try something like this?

    root@ve1100(Active)(/Common)(tmos) show sys version
    
    Sys::Version
    Main Package
      Product  BIG-IP
      Version  11.1.0
      Build    1943.0
      Edition  Final
      Date     Sun Nov 20 18:27:50 PST 2011
    
    root@ve1100(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.19.252:80
        ip-protocol tcp
        mask 255.255.255.255
        pool foo
        profiles {
            http { }
            tcp { }
        }
        rules {
            myrule
        }
        snat automap
        vlans-disabled
    }
    root@ve1100(Active)(/Common)(tmos) list ltm pool foo
    ltm pool foo {
        members {
            200.200.200.101:80 {
                address 200.200.200.101
            }
        }
    }
    root@ve1100(Active)(/Common)(tmos) list ltm rule myrule
    ltm rule myrule {
        when HTTP_RESPONSE {
       set cookie_names [HTTP::cookie names]
    
       if { $cookie_names ne "" } {
          foreach cookie $cookie_names {
             set cookie_value [HTTP::cookie $cookie]
                     HTTP::cookie remove $cookie
             HTTP::cookie insert name $cookie value $cookie_value path / version 1
             HTTP::cookie httponly $cookie enable
             HTTP::cookie secure $cookie enable
          }
       }
    }
    }
    
    [root@ve1100:Active] config  curl -I http://200.200.200.101
    HTTP/1.1 200 OK
    Date: Sat, 04 Feb 2012 01:05:07 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
    ETag: "4183e4-3e-9c564780"
    Accept-Ranges: bytes
    Content-Length: 62
    Set-Cookie: AAA=1111; path=/
    Set-Cookie: BBB=2222; path=/
    Set-Cookie: CCC=1234; path=/
    Content-Type: text/html; charset=UTF-8
    
    [root@ve1100:Active] config  curl -I http://172.28.19.252
    HTTP/1.1 200 OK
    Date: Sat, 04 Feb 2012 01:05:14 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
    ETag: "4183e4-3e-9c564780"
    Accept-Ranges: bytes
    Content-Length: 62
    Content-Type: text/html; charset=UTF-8
    Set-Cookie: AAA=1111;Secure;HttpOnly;Path=/;Version=1;
    Set-Cookie: BBB=2222;Secure;HttpOnly;Path=/;Version=1;
    Set-Cookie: CCC=1234;Secure;HttpOnly;Path=/;Version=1;
    
    
  • I have just encountered exactly the same 'Improper version ' issue with httponly.

     

     

    This is using BIG-IP 11.1.0 HF2, and it appears the issue is with Cookie Version.

     

    For testing reasons, I am attempting to apply the httponly attribute to a persistence cookie (where one can presumably not control the version?).

     

  • doesn't the irule above still work??

    root@ve1110(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.19.252:80
        ip-protocol tcp
        mask 255.255.255.255
        persist {
            cookie {
                default yes
            }
        }
        pool foo
        profiles {
            http { }
            tcp { }
        }
        snat automap
        vlans-disabled
    }
    
    [root@ve1110:Active] config  curl -I http://172.28.19.252
    HTTP/1.1 200 OK
    Date: Thu, 19 Apr 2012 03:04:31 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
    ETag: "4183e4-3e-9c564780"
    Accept-Ranges: bytes
    Content-Length: 62
    Content-Type: text/html; charset=UTF-8
    Set-Cookie: BIGipServerfoo=1707657416.20480.0000; path=/
    
    root@ve1110(Active)(/Common)(tmos) list ltm rule myrule
    ltm rule myrule {
        when HTTP_RESPONSE {
       set cookie_names [HTTP::cookie names]
    
       if { $cookie_names ne "" } {
          foreach cookie $cookie_names {
             set cookie_value [HTTP::cookie $cookie]
                HTTP::cookie remove $cookie
             HTTP::cookie insert name $cookie value $cookie_value path / version 1
             HTTP::cookie httponly $cookie enable
             HTTP::cookie secure $cookie enable
          }
       }
    }
    }
    
    root@ve1110(Active)(/Common)(tmos) modify ltm virtual bar rules { myrule }
    root@ve1110(Active)(/Common)(tmos) list ltm virtual bar
    ltm virtual bar {
        destination 172.28.19.252:80
        ip-protocol tcp
        mask 255.255.255.255
        persist {
            cookie {
                default yes
            }
        }
        pool foo
        profiles {
            http { }
            tcp { }
        }
        rules {
            myrule
        }
        snat automap
        vlans-disabled
    }
    root@ve1110(Active)(/Common)(tmos) quit
    
    [root@ve1110:Active] config  curl -I http://172.28.19.252
    HTTP/1.1 200 OK
    Date: Thu, 19 Apr 2012 03:05:06 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
    ETag: "4183e4-3e-9c564780"
    Accept-Ranges: bytes
    Content-Length: 62
    Content-Type: text/html; charset=UTF-8
    Set-Cookie: BIGipServerfoo=1707657416.20480.0000;Secure;HttpOnly;Path=/;Version=1;