Best way to set HttpOnly attribute on cookie

Okay, so the long and short of it is, if you want to enable this functionality:

 

 

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/httponly_cookies.asp

 

 

... then you need to construct your cookie manually in HTTP_RESPONSE using HTTP::header Set-Cookie instead of HTTP::cookie. The reason is, although the F5 can manipulate attributes on cookies, it doesn't support setting HttpOnly as a valid attribute -- nor does it support adding arbitrary attributes to cookies.

 

 

So, instead of "HTTP::cookie insert COOKIE somevalue version 1":

 

 

HTTP::header insert "Set-Cookie" "COOKIE=somevalue;Version=1;Secure;HttpOnly"

 

 

is really the only way to set a cookie with this attribute.

 

 

It would be nice if you could set custom attributes -- yeah, it's non-standard, but the standard allows for User-Agents to discard silently non-standard values, so it's at least safe.

 

Hi,

 

 

Thanks for posting the solution you came up with.

 

 

If you think it would be helpful to include the ability to add a non-standard attribute to a cookie using HTTP::cookie or a similar command, you could open a case with support and request it be added to a future release. If you end up doing so, please post the CR for the Request for Enhancement so other customers can reference it.

 

 

Thanks,

 

Aaron