Here's my situation... I have a site, www.sample.com - configured with Akamai. The "origin" points to a VS on my LTM to which I have an iRule that sends users to different pools depending on a cookie value. I want to allow certain users to hit a specific pool but also want them to do so through Akamai. Since access to Akamai is wide open, I need them to hit my "origin" first and if they match my whitelist, I'll set a cookie and redirect them. My initial assumption was that I'd do something like this: 1. A user hits origin.sample.com/1 2. My iRule inserts a cookie named "x" with the value of whatever is behind the / - in this case, a 1. 3. The iRule redirects them to www.sample.com (which goes through Akamai) and since they have a cookie value of 1, they'd go to the right pool. Unfortunately, I forgot that the cookie "x" with value of "1" would be for the domain "origin.sample.com" and not "www.sample.com" so this likely wouldn't work. Can anyone think of a better way to do this? Could I configure an iRule on my origin VS that looks at cookies from a specific domain?

Hi Chris, Couldn't you set the domain on the x cookie to sample.com so that clients will send the cookie on all requests to any sample.com domain? Aaron

Posted By hoolio on 06/26/2010 02:15 PM Hi Chris, Couldn't you set the domain on the x cookie to sample.com so that clients will send the cookie on all requests to any sample.com domain? Aaron Aaron - I love having you around! I should have noticed the "domain" option in the http::cookie wiki. Thanks!

Aaron - how would I go about checking to see whether a cookie exists for a different domain? If they have a cookie for www.example.com, I'll need to remove it before inserting my new one...

You could check the domain on each cookie using a loop of HTTP::cookie domain against a list from HTTP::cookie names. Are you concerned that you might already have a cookie x set by the app? Aaron

Posted By hoolio on 06/28/2010 08:22 AM You could check the domain on each cookie using a loop of HTTP::cookie domain against a list from HTTP::cookie names. Are you concerned that you might already have a cookie x set by the app? Aaron If a user first goes to www.sample.com, they'll get sent to pool 1 or pool 2 - if pool 1, they'll get a cookie set to "1". Now, if they specify origin.sample.com/2, I need to check whether a cookie exists for www.sample.com, rewrite its value to "2", and redirect them to www.sample.com.

Multi-Domain Cookie Issue

11 Replies

hooleylist
Cirrostratus
Jun 26, 2010
Hi Chris,

Couldn't you set the domain on the x cookie to sample.com so that clients will send the cookie on all requests to any sample.com domain?

Aaron
Chris_Miller
Altostratus
Jun 28, 2010
Posted By hoolio on 06/26/2010 02:15 PM

Hi Chris,

Couldn't you set the domain on the x cookie to sample.com so that clients will send the cookie on all requests to any sample.com domain?

Aaron

Aaron - I love having you around! I should have noticed the "domain" option in the http::cookie wiki. Thanks!
Chris_Miller
Altostratus
Jun 28, 2010
Aaron - how would I go about checking to see whether a cookie exists for a different domain? If they have a cookie for www.example.com, I'll need to remove it before inserting my new one...
hooleylist
Cirrostratus
Jun 28, 2010
You could check the domain on each cookie using a loop of HTTP::cookie domain against a list from HTTP::cookie names. Are you concerned that you might already have a cookie x set by the app?

Aaron
Chris_Miller
Altostratus
Jun 28, 2010
Posted By hoolio on 06/28/2010 08:22 AM

You could check the domain on each cookie using a loop of HTTP::cookie domain against a list from HTTP::cookie names. Are you concerned that you might already have a cookie x set by the app?

Aaron

If a user first goes to www.sample.com, they'll get sent to pool 1 or pool 2 - if pool 1, they'll get a cookie set to "1". Now, if they specify origin.sample.com/2, I need to check whether a cookie exists for www.sample.com, rewrite its value to "2", and redirect them to www.sample.com.
hooleylist
Cirrostratus
Jun 28, 2010
The HTTP request doesn't include any details for cookies other than the cookie name and value. So you couldn't tell just from the request what domain a cookie was set for. You might be able to set the name or value with a unique string that tells you what VS (or domain) the cookie was set for.

Aaron
Chris_Miller
Altostratus
Jun 28, 2010
Posted By hoolio on 06/28/2010 08:57 AM

The HTTP request doesn't include any details for cookies other than the cookie name and value. So you couldn't tell just from the request what domain a cookie was set for. You might be able to set the name or value with a unique string that tells you what VS (or domain) the cookie was set for.

Aaron

If I try to set a cookie for domain www.sample.com that already exists - what would the browser do?
hooleylist
Cirrostratus
Jun 28, 2010
If the domain on the cookie (and all other attributes), the browser should replace the old cookie with the new cookie value. If the domain or other attribute (like path) is different, then the client will store two cookies. The simplest way to check the exact behavior would be to use a browser plugin like HttpFox and test it.

Aaron
Chris_Miller
Altostratus
Jun 28, 2010
Posted By hoolio on 06/28/2010 09:48 AM

If the domain on the cookie (and all other attributes), the browser should replace the old cookie with the new cookie value. If the domain or other attribute (like path) is different, then the client will store two cookies. The simplest way to check the exact behavior would be to use a browser plugin like HttpFox and test it.

Aaron

For whatever reason - the domain cookie insert doesn't appear to be working. I'm basically saying : If user hits x.sample.com/1, set cookie "x" with value "1" domain "www.awesome.com" http::redirect "http://www.awesome.com" This doesn't appear to be setting a cookie for the www.awesome.com domain - any ideas?
hooleylist
Cirrostratus
Jun 28, 2010
HTTP user agents enforce a domain "firewall" to prevent one site from setting, accessing or modifying cookies from another domain. A subdomain can set cookies for it's own root domain though. So site1.example.com can set cookies for example.com which will be sent by clients to site2.example.com. But as you found, no subdomain on example.com can't set cookies for example2.com or any other domain.

See this wikipedia article for details:

http://en.wikipedia.org/wiki/Same_origin_policy

Can you use subdomains for this? If not, I think you'll need to re-architect the solution. I suppose you could insert something in the URI in the redirect which contains similar info.

Aaron

Forum Discussion

Multi-Domain Cookie Issue

11 Replies

Recent Discussions

Provisioning r2600 equipment

Block CBC

active/active Support Declarative Onboarding

Error while running ansible

URL

Related Content

Regex issue

Cookie-based DDoS protection

Cookie Tampering Protection using F5 Distributed Cloud Platform

2. SYN Cookie: Operation

8. SYN Cookie: Troubleshooting tcpdump