0.9.1
  • iApps Home
  • iControlREST Home
  • iControl (SOAP) Home
  • iRules Home
  • iRulesLX Home
  • TMSH Home
  • Clouddocs > > HTTP::cookie

Version notice:

HTTP::cookie¶

Description¶

Queries for or manipulates cookies in HTTP requests and responses. This command replaces the BIG-IP 4.X variable http_cookie.

Syntax¶

HTTP::cookie names
HTTP::cookie count
HTTP::cookie [value] <name> [<string>]
HTTP::cookie version <name> [version]
HTTP::cookie path <name> [path]
HTTP::cookie domain <name> [domain]
HTTP::cookie ports <name> [portlist]
HTTP::cookie insert name <name> value <value> [path <path>] [domain <domain>] [version <0 | 1 | 2>]
HTTP::cookie remove <name>
HTTP::cookie sanitize <name> [attribute]+
HTTP::cookie exists <name>
HTTP::cookie maxage <name> [seconds]
HTTP::cookie expires <name> [seconds] [absolute | relative]
HTTP::cookie comment <name> [comment]
HTTP::cookie secure <name> [enable|disable]
HTTP::cookie commenturl <name> [commenturl]
HTTP::cookie encrypt <name> <pass phrase> ["128" | "192" | "256"]
HTTP::cookie decrypt <name> <pass phrase> ["128" | "192" | "256"]

v11 Additions/Changes:
HTTP::cookie httponly <name> [enable|disable]
HTTP::cookie sanitize <-attributes|-names>

v12 Additions:
HTTP::cookie attribute <name> [insert <attribute> [value] | exists <attribute> | value <attribute> | remove <attribute> | names | count]

HTTP::cookie names¶

  • Returns a TCL list containing the names of all the cookies present in the HTTP headers.

HTTP::cookie count¶

  • Returns the number of cookies present in the HTTP headers.

HTTP::cookie [value] [string]¶

  • Sets or gets the value of an existing cookie with the given name. You can omit the keyword “value” from this command if the cookie name does not collide with any of the other commands. If the cookie does not exist when retrieving a cookie value, a null string will be returned.

HTTP::cookie version [version]¶

  • Gets or sets the version of the cookie. If a version 0 cookie is created using HTTP::cookie insert with attributes, attempting to set the version with this command will generate a TCL error.

HTTP::cookie path [path]¶

  • Sets or gets the cookie path.

HTTP::cookie domain [domain]¶

  • Sets or gets the cookie domain.
  • NOTE: When setting a domain value, the attribute set by the F5 is “domain” instead of the RFC 6265 compliant “Domain” and is ignored by several browsers. If setting the “Domain” attribute is for the purpose of browser recognition, it is recommended that the header be modified directly instead of using the HTTP::cookie domain command. This behavior is by design.

HTTP::cookie ports [portlist]¶

  • Sets or gets the cookie port lists for Version 2 cookies.

HTTP::cookie insert name value [path ] [domain ] [version <0 | 1 | 2>]¶

  • In an HTTP response, adds an additional Set-Cookie header. The default value for the version is 0. If the cookie already exists, a second cookie will be inserted (tested in 9.2.4).
  • Within the HTTP_REQUEST event, this command adds an additional Cookie header (tested in 10.2.4) which is not RFC compliant and is known to cause issues on certain web servers. Although the behavior renders the command useless within a request, the behavior is not a bug and is by design. To correctly insert a cookie in a request, compliant with RFC 6265, use HTTP::header to modify the value of the cookie header directly.

HTTP::cookie remove¶

  • Removes a cookie.

HTTP::cookie sanitize [attribute]+¶

HTTP::cookie sanitize <-attributes|-names>¶

  • Removes all but the specified attributes from the specified cookie. If no attributes are specified, then the cookie attributes are not modified. The second format above is strictly for versions 11.0 and greater.

HTTP::cookie exists¶

  • Returns a true value if the cookie exists.

HTTP::cookie maxage [seconds]¶

  • Sets or gets the max-age. Applies to Version 1 and 2 cookies only, and applies to responses only.

HTTP::cookie expires [seconds] [absolute | relative]¶

  • Sets or gets the expires attribute. Applies to Version 0 cookies only. If you specify the absolute argument, the seconds value represents number of seconds since the UNIX epoch (January 1, 1970). The default number of seconds is relative, which is the number of seconds from the current time. Applies to responses only.

HTTP::cookie comment [comment]¶

  • Sets or gets the cookie comment. Applies to Version 1 and 2 cookies only, and applies to responses only.

HTTP::cookie secure [enable | disable]¶

  • Sets or gets the value of the “secure” attribute. Applies to responses only. ‘HTTP::cookie secure ‘ returns “enable” or “disable” depending on whether the secure flag is set. If ‘HTTP::cookie secure enable’ is used on a cookie which already has the secure flag set, no change is made to the cookie.

HTTP::cookie commenturl [commenturl]¶

  • Sets or gets the comment URL. Applies only to Version 2 cookies, and applies to responses only.

HTTP::cookie encrypt [“128” | “192” | “256”]¶

  • Encrypts the value for the given cookie using a key generated from the pass phrase. The default key length is 128. The encryption method is AES. For an example, check the Codeshare rule, EncryptingCookies.
  • Note that the performance of HTTP::cookie encrypt|decrypt is significantly lower than encrypting|decrypting cookies via a custom HTTP profile’s cookie encryption option or using AES::encrypt|AES::decrypt to manually encrypt|decrypt the cookie values. This is due to differences in the encryption key generation.

HTTP::cookie decrypt [“128” | “192” | “256”]¶

  • Decrypts the value for the given cookie using a key generated from the pass phrase. The default key length is 128. The encryption method is AES. For an example, check the Codeshare rule, EncryptingCookies.
  • Note that the performance of HTTP::cookie encrypt|decrypt is significantly lower than encrypting|decrypting cookies via a custom HTTP profile’s cookie encryption option or using AES::encrypt|AES::decrypt to manually encrypt|decrypt the cookie values. This is due to differences in the encryption key generation.
  • Function returns the decrypted value.

HTTP::cookie httponly [enable | disable]¶

  • Sets or gets the value of the “httponly” attribute. Available only in v11+. Applies to responses only, applies to version 1 and 2 cookies only. ‘HTTP::cookie httponly ‘ returns “enable” or “disable” depending on whether the httponly flag is set.
  • If ‘HTTP::cookie httponly enable’ is used on a cookie which already has the httponly flag set, no change is made to the cookie.
  • NOTE: if the cookie is not a valid version 1 or 2 cookie, this command will generate a TCL error and reset the connection. Unfortunately, because cookie versions was made obsolete in RFC6265, it is unlikely servers will set cookie values following the strict version requirements built into this command. For those needing the HttpOnly property on a cookie and a connection reset is not desired, it is recommended that it be set manually.

Examples¶

Testing the SameSite cookie attribute

when HTTP_RESPONSE {

    log local0. "[IP::client_addr]:[TCP::client_port]:============================================"

    # Insert some test cookies in the response to the client to simulate cookies set by the application

    # Insert a cookie with name=cookie_name and value=cookie_value, path=/, SameSite=None, Secure flag set
    HTTP::cookie insert name "cookie_name" value "cookie_value" path "/"
    HTTP::cookie attribute "cookie_name" insert "SameSite" "None"
    HTTP::cookie secure "cookie_name" enable

    # Insert a cookie with name=cookie_name_2 and value=cookie_value_2, path=/, SameSite=strict
    HTTP::cookie insert name "cookie_name_2" value "cookie_value_2" path "/"
    HTTP::cookie attribute "cookie_name_2" insert "SameSite" "strict"

    # Insert a cookie with name=cookie_name_3 and value=cookie_value_3, path=/
    #   without SameSite set so we can modify that later in the iRule
    HTTP::cookie insert name "cookie_name_3" value "cookie_value_3" path "/"

    # Log the example Set-Cookie headers as if we got them from the application
    log local0. "[IP::client_addr]:[TCP::client_port]: \[HTTP::header values set-cookie\]: [HTTP::header values {set-cookie}]"

    set cookie_names [HTTP::cookie names]
    log local0. "[IP::client_addr]:[TCP::client_port]: \$cookie_names ([llength $cookie_names]): $cookie_names"
    foreach a_cookie $cookie_names {
        log local0. "[IP::client_addr]:[TCP::client_port]:"
        # Set the SameSite attribute to Strict if it's not set already
        if {not [HTTP::cookie attribute $a_cookie exists {SameSite}] }{
            log local0. "[IP::client_addr]:[TCP::client_port]: name=$a_cookie, setting SameSite to Strict"
            HTTP::cookie attribute $a_cookie insert "SameSite" "Strict"
        }

        # Loop through the attributes for this cookie
        set attr_names [HTTP::cookie attribute $a_cookie names]
        if { $attr_names ne "" }{
            log local0. "[IP::client_addr]:[TCP::client_port]: name=$a_cookie, SameSite exists? [HTTP::cookie attribute $a_cookie exists {SameSite}]"

            # Log the cookie attribute names and values
            foreach attr $attr_names {
                log local0. "[IP::client_addr]:[TCP::client_port]: name=$a_cookie, attribute $attr=[HTTP::cookie attribute $a_cookie value $attr]"
            }
        }
    }
}

# Example output of Set-Cookie headers from this iRule:
#   Set-Cookie: cookie_name=cookie_value;Path=/;SameSite=None;Secure
#   Set-Cookie: cookie_name_2=cookie_value_2;Path=/;SameSite=strict
#   Set-Cookie: cookie_name_3=cookie_value_3;Path=/;SameSite=Strict

# Log output from /var/log/ltm:
#      <HTTP_RESPONSE>: 10.1.1.8:51313: [HTTP::header values set-cookie]: {cookie_name=cookie_value;Path=/;SameSite=None;Secure}
#             {cookie_name_2=cookie_value_2;Path=/;SameSite=strict} {cookie_name_3=cookie_value_3;Path=/}
#      <HTTP_RESPONSE>: 10.1.1.8:51313: $cookie_names (3): cookie_name_2 cookie_name_3 cookie_name
#      <HTTP_RESPONSE>: 10.1.1.8:51313:
#      <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name_2, SameSite exists? 1
#      <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name_2, attribute Path=/
#      <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name_2, attribute SameSite=strict
#      <HTTP_RESPONSE>: 10.1.1.8:51313:
#      <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name_3, setting SameSite to Strict
#      <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name_3, SameSite exists? 1
#      <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name_3, attribute Path=/
#      <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name_3, attribute SameSite=Strict
#      <HTTP_RESPONSE>: 10.1.1.8:51313:
#      <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name, SameSite exists? 1
#      <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name, attribute Path=/
#      <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name, attribute SameSite=None
#      <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name, attribute Secure=

# Rename a cookie by inserting a new cookie name with the same value as the original.  Then remove the old cookie.
when HTTP_REQUEST {

   # Check if old cookie exists in request
   if { [HTTP::cookie exists "old-cookie-name"] } {

      # Insert a new cookie with the new name and old cookie's value
      HTTP::cookie insert name "new-cookie-name" value [HTTP::cookie value "old-cookie-name"]

      # Remove the old cookie
      HTTP::cookie remove "old-cookie-name"
   }
}


# Set the version to 1 first because HttpOnly can only be set for cookies with version 1 or 2 and the default version is 0:

# Set HttpOnly on all LTM and app generated cookies
when HTTP_RESPONSE {
   set cookieNames [HTTP::cookie names]
   foreach aCookie $cookieNames {
      HTTP::cookie version $aCookie 1
      HTTP::cookie httponly $aCookie enable
   }
}

# Or just for one statically defined cookie:
when HTTP_RESPONSE {
   HTTP::cookie version myCookie 1
   HTTP::cookie httponly myCookie enable
}

Related Information¶

Valid Events:
CACHE_REQUEST, CACHE_RESPONSE, HTTP_REQUEST, HTTP_REQUEST_DATA, HTTP_REQUEST_SEND, HTTP_RESPONSE, HTTP_RESPONSE_CONTINUE, HTTP_RESPONSE_DATA


Sample Code:

  • Apache mod_auth_tkt_ single sign on - Parse and verify an Apache mod auth_tkt single sign on (SSO) cookie.
  • Client Auth Using HTTP Cookie - This iRule illustrates how to use HTTP Cookies for client based authentcation.
  • Cookie Encryption Across Pools and Services - Implements cookie persistence based on node IP address. not member IP/port….
  • Cookie Persistence Without The Port - This rule was written in response to a requirement in which a client had connections to multiple virtual services. each with multiple ports. We wanted a light weight cookie based persistence…
  • Custom Apache-style logging for Java-based applications - I had a requirement to have the F5 BigIP produce logs which replicated our …
  • Delete Cookie From Request By Regex - This iRule allows an administrator to delete cookies from a request which match a defined class of regular expressions.
  • Encrypt HTTP cookies with dynamic names - Encrypt all of the BIG-IP persistence cookies regardless of their specific name
  • Encrypting Cookies - This example shows how to encrypt and decrypt a HTTP cookie from within an iRule.
  • Google Authenticator iRule For Two-Factor Auth With LDAP - This iRule adds two-factor authentication to a virtual server by combining an LDAP account with a Google Authenticator token
  • HTTP delay and validate clients using javascript cookies when CPU overloaded - If CPU usage high. delay clients and validate they’re real by making sure they can execute javascript.
  • HTTP prefetch insertion - This iRule demonstrate how to use BIG-IP to insert prefetch hint/force to http response from server.
  • HTTP redirect to HTTPS with pool down detection - I pieced this together from several rules because I couldn’t find a rule th…
  • HTTP session limit - HTTP Session limiting for LTM v10.1 using tables.
  • HTTP retry on 404 pre-9.2.0 - Mimic LB::reselect and HTTP::retry for pre-9.2.0 boxes
  • HTTP Session Limit - Limits total concurrent HTTP sessions to a pre-defined threshhold. allowing those clients with a session cookie to continue once the limit is reached. while redirecting new clients until con…
  • Load balancing based on ASP SessionID - The code separates into 2 irules. one for request and one for response. T…
  • Manual cookie persistence - I had an app admin ask me for a way to temporarily force node assignment. f…
  • Open SSO Authentication - A simple “Policy Agent” iRule that ensures that all incoming HTTP requests …
  • Outlook Anywhere Persistence with Cookie Backup - The deployment guide for Microsoft Exchange Server 2007 (http://www.f5.com/…
  • Persistence Cookie Logger - Extracts the cookie value from a persistence cookie inserted by LTM’s “cookie insert” persistence method
  • Proxy Auth - Provides Authentication offload onto an service such as LDAP.
  • Reorder Http Cookies - This iRule will reorder all the HTTP cookies going to the backend server.
  • Reverse Proxy With Basic SSO - The iRule implements a authenticated HTTPS reverse proxy.
  • Select pool member based on HTTP query string parameter - Allow clients to manually select a pool member based on a parameter set in the HTTP query string. with persistence.
  • Set the SameSite Attribute for LTM Persistence Cookies - iRule to apply SameSite attribute to persistence cookies
  • Set the SameSite Cookie Attribute for Web Application and BIG-IP Module Cookies - iRule to apply SameSite attribute to all cookies
  • Validate String Characters In Cookie Rule - This rule demonstrates how to efficiently validate whether a given string contains illegal characters.
  • Version 9.x session limiting - Contributed by: David Homoney - Senior Consultant F5 Networks - d.homoney (…
  • Weblogic JSessionID Persistence - Provides persistence on the jsessionid value found in either the URI or a cookie.
  • Weblogic JSessionID Persistence for Session Replication - Persists HTTP requests on the primary and secondary server values found in the JSESSIONID cookie when the WebLogic servers implement session replication across two servers

  • Introduced: BIGIP-9.0.0
  • Enhanced: BIGIP-11.0.0
  • Enhanced: BIGIP-12.0.0

The BIG-IP API Reference documentation contains community-contributed content. F5 does not monitor or control community code contributions. We make no guarantees or warranties regarding the available code, and it may contain errors, defects, bugs, inaccuracies, or security vulnerabilities. Your access to and use of any code available in the BIG-IP API reference guides is solely at your own risk.