For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Danny_Alvarez_1's avatar
Danny_Alvarez_1
Icon for Nimbostratus rankNimbostratus
Feb 08, 2016

Adding "HTTP::cookie httponly $mycookie enable" on iRule breaks connection on an HTTPS VIP

Hi, Trying to secure cookies and apply HttpOnly flag at the same time with the following iRule: when HTTP_RESPONSE { foreach mycookie [HTTP::cookie names] { HTTP::cookie secure $mycookie enable...
application delivery
iRules
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Feb 08, 2016

Hi Danny,

 

could you please elaborate some additional details, about "breaks the site with a "Secure Connection Failed"? Is this error message generated in the LTM logfiles, or is this an error message generated on the client side?

 

Assuming that the iRule works fine and doesn't raises an TCL error. Then the HttpOnly flag would instruct your browser to protect the cookie in such a way, that the cookie could only be accessed when requesting HTTP(S) content. But not directly access using scripting languages (e.g. JScript) nor other programs.

 

Enabling the HttpOnly flag is one of the best defenses to counter Cross-Site-Scripting (XSS) attacks on sesitive cookie information. But on the other hand may break your application, if certain "friedly" JScripts have to access the raw cookie information/data...

 

Cheers, Kai

 

Related Content