For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Joel_Moses's avatar
Joel_Moses
Icon for Nimbostratus rankNimbostratus
Sep 18, 2006

Best way to set HttpOnly attribute on cookie

The subject says it all...     Does anyone out there have any experiences to relate tagging some cookies (as they pass through) as HttpOnly cookies? IE supports this, and lots of our sites requi...
application delivery
dev
devops
iRules
Joel_Moses's avatar
Joel_Moses
Icon for Nimbostratus rankNimbostratus
Sep 20, 2006
Okay, so the long and short of it is, if you want to enable this functionality:

 

 

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/httponly_cookies.asp

 

 

... then you need to construct your cookie manually in HTTP_RESPONSE using HTTP::header Set-Cookie instead of HTTP::cookie. The reason is, although the F5 can manipulate attributes on cookies, it doesn't support setting HttpOnly as a valid attribute -- nor does it support adding arbitrary attributes to cookies.

 

 

So, instead of "HTTP::cookie insert COOKIE somevalue version 1":

 

 

HTTP::header insert "Set-Cookie" "COOKIE=somevalue;Version=1;Secure;HttpOnly"

 

 

is really the only way to set a cookie with this attribute.

 

 

It would be nice if you could set custom attributes -- yeah, it's non-standard, but the standard allows for User-Agents to discard silently non-standard values, so it's at least safe.