Forum Discussion
Joel_Moses
Nimbostratus
NimbostratusBest way to set HttpOnly attribute on cookie
The subject says it all...
Does anyone out there have any experiences to relate tagging some cookies (as they pass through) as HttpOnly cookies? IE supports this, and lots of our sites require IE (don't shoot me, it wasn't my decision), so I figure it's okay to try this.
Joel_MosesOkay, so the long and short of it is, if you want to enable this functionality:
http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/httponly_cookies.asp
... then you need to construct your cookie manually in HTTP_RESPONSE using HTTP::header Set-Cookie instead of HTTP::cookie. The reason is, although the F5 can manipulate attributes on cookies, it doesn't support setting HttpOnly as a valid attribute -- nor does it support adding arbitrary attributes to cookies.
So, instead of "HTTP::cookie insert COOKIE somevalue version 1":
HTTP::header insert "Set-Cookie" "COOKIE=somevalue;Version=1;Secure;HttpOnly"
is really the only way to set a cookie with this attribute.
It would be nice if you could set custom attributes -- yeah, it's non-standard, but the standard allows for User-Agents to discard silently non-standard values, so it's at least safe.
hoolioCirrostratus
Hi,
Thanks for posting the solution you came up with.
If you think it would be helpful to include the ability to add a non-standard attribute to a cookie using HTTP::cookie or a similar command, you could open a case with support and request it be added to a future release. If you end up doing so, please post the CR for the Request for Enhancement so other customers can reference it.
Thanks,
Aaron