Forum Discussion

Danny_Alvarez_1's avatar
Danny_Alvarez_1
Icon for Nimbostratus rankNimbostratus
Feb 08, 2016

Adding "HTTP::cookie httponly $mycookie enable" on iRule breaks connection on an HTTPS VIP

Hi,

Trying to secure cookies and apply HttpOnly flag at the same time with the following iRule:

when HTTP_RESPONSE {
foreach mycookie [HTTP::cookie names] {
HTTP::cookie secure $mycookie enable
HTTP::cookie httponly $mycookie enable
    }
}

iRule breaks the site with a "Secure Connection Failed" error message when

HTTP::cookie httponly $mycookie enable

is used and it works fine when that line is removed (site is up and cure includes Secure flag).

What issues can I expect when applying above iRule on an HTTPS VIP doing SSL Offloading?

3 Replies

  • Hi Danny,

     

    could you please elaborate some additional details, about "breaks the site with a "Secure Connection Failed"? Is this error message generated in the LTM logfiles, or is this an error message generated on the client side?

     

    Assuming that the iRule works fine and doesn't raises an TCL error. Then the HttpOnly flag would instruct your browser to protect the cookie in such a way, that the cookie could only be accessed when requesting HTTP(S) content. But not directly access using scripting languages (e.g. JScript) nor other programs.

     

    Enabling the HttpOnly flag is one of the best defenses to counter Cross-Site-Scripting (XSS) attacks on sesitive cookie information. But on the other hand may break your application, if certain "friedly" JScripts have to access the raw cookie information/data...

     

    Cheers, Kai

     

  • Thank you Kai.

     

    "Secure Connection Failed" comes up on the browser:

     

    Can you think of any logs/captures that can tell us and the client what is braking?

     

    This being SSL secured captures complicates troubleshooting.

     

    Thanks again.

     

    Danny.

     

  • Hi Danny,

    it looks like an ordinary TCP connection reset. In this case you'll hopefully find some addtional information in your LTM log file. Keep an eye for TCL related errors...

    To capture SSL requests/responses I could recommend to use Fiddler2. Fiddler2 is a free SSL-Inspection enabled Forward-Proxy (runs on your desktop) that lets you explore SSL protected HTTP communication. Give it a try, download and install this tool and don't forget to turn on SSL inspection within the Fiddler HTTPS Options. But i guess in your specific case Fiddler2 would also just see the connection reset?

    Note: Keep in mind that the

    [HTTP::cookie httponly]
    is relatively new. You have to use v11+ to use this command.

    Cheers, Kai