Forum Discussion

Nimbostratus

Sep 17, 2006

Best way to set HttpOnly attribute on cookie

The subject says it all... Does anyone out there have any experiences to relate tagging some cookies (as they pass through) as HttpOnly cookies? IE supports this, and lots of our sites requi...

Nimbostratus

Sep 20, 2006

Okay, so the long and short of it is, if you want to enable this functionality:

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/httponly_cookies.asp

... then you need to construct your cookie manually in HTTP_RESPONSE using HTTP::header Set-Cookie instead of HTTP::cookie. The reason is, although the F5 can manipulate attributes on cookies, it doesn't support setting HttpOnly as a valid attribute -- nor does it support adding arbitrary attributes to cookies.

So, instead of "HTTP::cookie insert COOKIE somevalue version 1":

HTTP::header insert "Set-Cookie" "COOKIE=somevalue;Version=1;Secure;HttpOnly"

is really the only way to set a cookie with this attribute.

It would be nice if you could set custom attributes -- yeah, it's non-standard, but the standard allows for User-Agents to discard silently non-standard values, so it's at least safe.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)