Cookie Encryption issue, lots of errors

Question

Hello! My F5 event logs are filled with the following message, and I can't figure out why:
TCL error: /Common/CookieEnrcypt  - list element in quotes followed by ":null" instead of space while executing "lsearch -all -inline [HTTP::cookie names] $static::ck_pattern"

I've searched through other threads and nothing seems similar enough to help me. I'm not super with coding but have been using F5 for six months or so. Here is the iRule generating the error...a simple script to encrypt our cookies I pulled from this site. It seems to be working okay, the cookies are encrypted, but my logs are slamming me hard. Any insight would be appreciated.
when RULE_INIT {

Cookie name prefix
    set static::ck_pattern "BIGipServer*"

Log debug to /var/log/ltm? 1=yes, 0=no)
    set static::ck_debug 0

Cookie encryption passphrase
     Change this to a custom string!
    set static::ck_pass "XXXXX"
}
when HTTP_REQUEST {

if {$static::ck_debug}{log local0. "Request cookie names: [HTTP::cookie names]"}

Check if the cookie names in the request match our string glob pattern
    if {[set cookie_names [lsearch -all -inline [HTTP::cookie names] $static::ck_pattern]] ne ""}{

We have at least one match so loop through the cookie(s) by name
         if {$static::ck_debug}{log local0. "Matching cookie names: [HTTP::cookie names]"}
        foreach cookie_name $cookie_names {

Decrypt the cookie value and check if the decryption failed (null return value)
            if {[HTTP::cookie decrypt $cookie_name $static::ck_pass] eq ""}{

Cookie wasn't encrypted, delete it
                 if {$static::ck_debug}{log local0. "Removing cookie as decryption failed for $cookie_name"}
                HTTP::cookie remove $cookie_name
            }
        }
        when RULE_INIT {

Cookie name prefix
    set static::ck_pattern "BIGipServer*"

Log debug to /var/log/ltm? 1=yes, 0=no)
    set static::ck_debug 0

Cookie encryption passphrase
    set static::ck_pass "XXXXX"
}
when HTTP_REQUEST {

if {$static::ck_debug}{log local0. "Request cookie names: [HTTP::cookie names]"}

Check if the cookie names in the request match our string glob pattern
    if {[set cookie_names [lsearch -all -inline [HTTP::cookie names] $static::ck_pattern]] ne ""}{

We have at least one match so loop through the cookie(s) by name
         if {$static::ck_debug}{log local0. "Matching cookie names: [HTTP::cookie names]"}
        foreach cookie_name $cookie_names {

Decrypt the cookie value and check if the decryption failed (null return value)
            if {[HTTP::cookie decrypt $cookie_name $static::ck_pass] eq ""}{

Cookie wasn't encrypted, delete it
                 if {$static::ck_debug}{log local0. "Removing cookie as decryption failed for $cookie_name"}
                HTTP::cookie remove $cookie_name
            }
        }
         if {$static::ck_debug}{log local0. "Cookie header(s): [HTTP::header values Cookie]"}
    }
}
when HTTP_RESPONSE {

if {$static::ck_debug}{log local0. "Response cookie names: [HTTP::cookie names]"}

Check if the cookie names in the request match our string glob pattern
    if {[set cookie_names [lsearch -all -inline [HTTP::cookie names] $static::ck_pattern]] ne ""}{

We have at least one match so loop through the cookie(s) by name
         if {$static::ck_debug}{log local0. "Matching cookie names: [HTTP::cookie names]"}
        foreach cookie_name $cookie_names {

Encrypt the cookie value
            HTTP::cookie encrypt $cookie_name $static::ck_pass
        }
         if {$static::ck_debug}{log local0. "Set-Cookie header(s): [HTTP::header values Set-Cookie]"}
    }
}
    }
}
when HTTP_RESPONSE {

Check if the cookie names in the request match our string glob pattern
    if {[set cookie_names [lsearch -all -inline [HTTP::cookie names] $static::ck_pattern]] ne ""}{

We have at least one match so loop through the cookie(s) by name
        foreach cookie_name $cookie_names {

Encrypt the cookie value
            HTTP::cookie encrypt $cookie_name $static::ck_pass
        }
    }
}

boneyard · Answer

where exactly "here" did you find this irule?&nbsp;
it seems, but my TCL knowledge is not at expert level, this has something to do with performing a lsearch (list search) on a string. where apparently a string is not always the same as a list, see also:&nbsp;
http://www.doxer.org/resolved-tcl-error-list-element-in-quotes-followed-by-instead-of-space-while-executing-tcl/&nbsp;
so it seems some cookie names are so odd to lsearch they aren't seen as a list. in principle you might want to drop using lsearch but a quick search hasn't gotten me a good alternative. &nbsp;
you could try to advise from the doxer.org link, but no guarantees.&nbsp;
try replacing the current part &nbsp;
[lsearch -all -inline [HTTP::cookie names] $static::ck_pattern]&nbsp;
with&nbsp;
[lsearch -all -inline [split [HTTP::cookie names]] $static::ck_pattern]&nbsp;
on both HTTP_REQUEST AND HTTP_REPONSE event&nbsp;
i tested it and for me it still worked, so that is fine. you will have to check if this still encrypts cookies and doesn't cause the errors anymore.&nbsp;

Forum Discussion

Cookie Encryption issue, lots of errors

1 Reply

Recent Discussions

Need advise to setup a policy on F5

Web acceleration

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Related Content

Let's Encrypt

Encrypting Cookies

Cookie Encryption

Automate Let's Encrypt Certificates on BIG-IP

encrypted cookie generation and decryption