HTTP::cookie¶
Description¶
Queries for or manipulates cookies in HTTP requests and responses.
This command replaces the BIG-IP 4.X variable http_cookie.
Syntax¶
HTTP::cookie names
HTTP::cookie count
HTTP::cookie [value] <name> [<string>]
HTTP::cookie version <name> [version]
HTTP::cookie path <name> [path]
HTTP::cookie domain <name> [domain]
HTTP::cookie ports <name> [portlist]
HTTP::cookie insert name <name> value <value> [path <path>] [domain <domain>] [version <0 | 1 | 2>]
HTTP::cookie remove <name>
HTTP::cookie sanitize <name> [attribute]+
HTTP::cookie exists <name>
HTTP::cookie maxage <name> [seconds]
HTTP::cookie expires <name> [seconds] [absolute | relative]
HTTP::cookie comment <name> [comment]
HTTP::cookie secure <name> [enable|disable]
HTTP::cookie commenturl <name> [commenturl]
HTTP::cookie encrypt <name> <pass phrase> ["128" | "192" | "256"]
HTTP::cookie decrypt <name> <pass phrase> ["128" | "192" | "256"]
v11 Additions/Changes:
HTTP::cookie httponly <name> [enable|disable]
HTTP::cookie sanitize <-attributes|-names>
v12 Additions:
HTTP::cookie attribute <name> [insert <attribute> [value] | exists <attribute> | value <attribute> | remove <attribute> | names | count]
HTTP::cookie names¶
- Returns a TCL list containing the names of all the cookies present in the HTTP headers.
HTTP::cookie [value] [string]¶
- Sets or gets the value of an existing cookie with the given name. You can omit the keyword “value” from this command if the cookie name does not collide with any of the other commands. If the cookie does not exist when retrieving a cookie value, a null string will be returned.
HTTP::cookie version [version]¶
- Gets or sets the version of the cookie. If a version 0 cookie is created using HTTP::cookie insert with attributes, attempting to set the version with this command will generate a TCL error.
HTTP::cookie domain [domain]¶
- Sets or gets the cookie domain.
- NOTE: When setting a domain value, the attribute set by the F5 is “domain” instead of the RFC 6265 compliant “Domain” and is ignored by several browsers. If setting the “Domain” attribute is for the purpose of browser recognition, it is recommended that the header be modified directly instead of using the HTTP::cookie domain command. This behavior is by design.
HTTP::cookie insert name value [path ] [domain ] [version <0 | 1 | 2>]¶
- In an HTTP response, adds an additional Set-Cookie header. The default value for the version is 0. If the cookie already exists, a second cookie will be inserted (tested in 9.2.4).
- Within the HTTP_REQUEST event, this command adds an additional Cookie header (tested in 10.2.4) which is not RFC compliant and is known to cause issues on certain web servers. Although the behavior renders the command useless within a request, the behavior is not a bug and is by design. To correctly insert a cookie in a request, compliant with RFC 6265, use HTTP::header to modify the value of the cookie header directly.
HTTP::cookie sanitize [attribute]+¶
HTTP::cookie sanitize <-attributes|-names>¶
- Removes all but the specified attributes from the specified cookie. If no attributes are specified, then the cookie attributes are not modified. The second format above is strictly for versions 11.0 and greater.
HTTP::cookie maxage [seconds]¶
- Sets or gets the max-age. Applies to Version 1 and 2 cookies only, and applies to responses only.
HTTP::cookie expires [seconds] [absolute | relative]¶
- Sets or gets the expires attribute. Applies to Version 0 cookies only. If you specify the absolute argument, the seconds value represents number of seconds since the UNIX epoch (January 1, 1970). The default number of seconds is relative, which is the number of seconds from the current time. Applies to responses only.
HTTP::cookie comment [comment]¶
- Sets or gets the cookie comment. Applies to Version 1 and 2 cookies only, and applies to responses only.
HTTP::cookie secure [enable | disable]¶
- Sets or gets the value of the “secure” attribute. Applies to responses only. ‘HTTP::cookie secure ‘ returns “enable” or “disable” depending on whether the secure flag is set. If ‘HTTP::cookie secure enable’ is used on a cookie which already has the secure flag set, no change is made to the cookie.
HTTP::cookie commenturl [commenturl]¶
- Sets or gets the comment URL. Applies only to Version 2 cookies, and applies to responses only.
HTTP::cookie encrypt [“128” | “192” | “256”]¶
- Encrypts the value for the given cookie using a key generated from the pass phrase. The default key length is 128. The encryption method is AES. For an example, check the Codeshare rule, EncryptingCookies.
- Note that the performance of HTTP::cookie encrypt|decrypt is significantly lower than encrypting|decrypting cookies via a custom HTTP profile’s cookie encryption option or using AES::encrypt|AES::decrypt to manually encrypt|decrypt the cookie values. This is due to differences in the encryption key generation.
HTTP::cookie decrypt [“128” | “192” | “256”]¶
- Decrypts the value for the given cookie using a key generated from the pass phrase. The default key length is 128. The encryption method is AES. For an example, check the Codeshare rule, EncryptingCookies.
- Note that the performance of HTTP::cookie encrypt|decrypt is significantly lower than encrypting|decrypting cookies via a custom HTTP profile’s cookie encryption option or using AES::encrypt|AES::decrypt to manually encrypt|decrypt the cookie values. This is due to differences in the encryption key generation.
- Function returns the decrypted value.
HTTP::cookie httponly [enable | disable]¶
- Sets or gets the value of the “httponly” attribute. Available only in v11+. Applies to responses only, applies to version 1 and 2 cookies only. ‘HTTP::cookie httponly ‘ returns “enable” or “disable” depending on whether the httponly flag is set.
- If ‘HTTP::cookie httponly enable’ is used on a cookie which already has the httponly flag set, no change is made to the cookie.
- NOTE: if the cookie is not a valid version 1 or 2 cookie, this command will generate a TCL error and reset the connection. Unfortunately, because cookie versions was made obsolete in RFC6265, it is unlikely servers will set cookie values following the strict version requirements built into this command. For those needing the HttpOnly property on a cookie and a connection reset is not desired, it is recommended that it be set manually.
Examples¶
Testing the SameSite cookie attribute
when HTTP_RESPONSE {
log local0. "[IP::client_addr]:[TCP::client_port]:============================================"
# Insert some test cookies in the response to the client to simulate cookies set by the application
# Insert a cookie with name=cookie_name and value=cookie_value, path=/, SameSite=None, Secure flag set
HTTP::cookie insert name "cookie_name" value "cookie_value" path "/"
HTTP::cookie attribute "cookie_name" insert "SameSite" "None"
HTTP::cookie secure "cookie_name" enable
# Insert a cookie with name=cookie_name_2 and value=cookie_value_2, path=/, SameSite=strict
HTTP::cookie insert name "cookie_name_2" value "cookie_value_2" path "/"
HTTP::cookie attribute "cookie_name_2" insert "SameSite" "strict"
# Insert a cookie with name=cookie_name_3 and value=cookie_value_3, path=/
# without SameSite set so we can modify that later in the iRule
HTTP::cookie insert name "cookie_name_3" value "cookie_value_3" path "/"
# Log the example Set-Cookie headers as if we got them from the application
log local0. "[IP::client_addr]:[TCP::client_port]: \[HTTP::header values set-cookie\]: [HTTP::header values {set-cookie}]"
set cookie_names [HTTP::cookie names]
log local0. "[IP::client_addr]:[TCP::client_port]: \$cookie_names ([llength $cookie_names]): $cookie_names"
foreach a_cookie $cookie_names {
log local0. "[IP::client_addr]:[TCP::client_port]:"
# Set the SameSite attribute to Strict if it's not set already
if {not [HTTP::cookie attribute $a_cookie exists {SameSite}] }{
log local0. "[IP::client_addr]:[TCP::client_port]: name=$a_cookie, setting SameSite to Strict"
HTTP::cookie attribute $a_cookie insert "SameSite" "Strict"
}
# Loop through the attributes for this cookie
set attr_names [HTTP::cookie attribute $a_cookie names]
if { $attr_names ne "" }{
log local0. "[IP::client_addr]:[TCP::client_port]: name=$a_cookie, SameSite exists? [HTTP::cookie attribute $a_cookie exists {SameSite}]"
# Log the cookie attribute names and values
foreach attr $attr_names {
log local0. "[IP::client_addr]:[TCP::client_port]: name=$a_cookie, attribute $attr=[HTTP::cookie attribute $a_cookie value $attr]"
}
}
}
}
# Example output of Set-Cookie headers from this iRule:
# Set-Cookie: cookie_name=cookie_value;Path=/;SameSite=None;Secure
# Set-Cookie: cookie_name_2=cookie_value_2;Path=/;SameSite=strict
# Set-Cookie: cookie_name_3=cookie_value_3;Path=/;SameSite=Strict
# Log output from /var/log/ltm:
# <HTTP_RESPONSE>: 10.1.1.8:51313: [HTTP::header values set-cookie]: {cookie_name=cookie_value;Path=/;SameSite=None;Secure}
# {cookie_name_2=cookie_value_2;Path=/;SameSite=strict} {cookie_name_3=cookie_value_3;Path=/}
# <HTTP_RESPONSE>: 10.1.1.8:51313: $cookie_names (3): cookie_name_2 cookie_name_3 cookie_name
# <HTTP_RESPONSE>: 10.1.1.8:51313:
# <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name_2, SameSite exists? 1
# <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name_2, attribute Path=/
# <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name_2, attribute SameSite=strict
# <HTTP_RESPONSE>: 10.1.1.8:51313:
# <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name_3, setting SameSite to Strict
# <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name_3, SameSite exists? 1
# <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name_3, attribute Path=/
# <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name_3, attribute SameSite=Strict
# <HTTP_RESPONSE>: 10.1.1.8:51313:
# <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name, SameSite exists? 1
# <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name, attribute Path=/
# <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name, attribute SameSite=None
# <HTTP_RESPONSE>: 10.1.1.8:51313: name=cookie_name, attribute Secure=
# Rename a cookie by inserting a new cookie name with the same value as the original. Then remove the old cookie.
when HTTP_REQUEST {
# Check if old cookie exists in request
if { [HTTP::cookie exists "old-cookie-name"] } {
# Insert a new cookie with the new name and old cookie's value
HTTP::cookie insert name "new-cookie-name" value [HTTP::cookie value "old-cookie-name"]
# Remove the old cookie
HTTP::cookie remove "old-cookie-name"
}
}
# Set the version to 1 first because HttpOnly can only be set for cookies with version 1 or 2 and the default version is 0:
# Set HttpOnly on all LTM and app generated cookies
when HTTP_RESPONSE {
set cookieNames [HTTP::cookie names]
foreach aCookie $cookieNames {
HTTP::cookie version $aCookie 1
HTTP::cookie httponly $aCookie enable
}
}
# Or just for one statically defined cookie:
when HTTP_RESPONSE {
HTTP::cookie version myCookie 1
HTTP::cookie httponly myCookie enable
}