F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Joel_Moses's avatar
Joel_Moses
Icon for Nimbostratus rankNimbostratus
Sep 17, 2006

Best way to set HttpOnly attribute on cookie

The subject says it all...     Does anyone out there have any experiences to relate tagging some cookies (as they pass through) as HttpOnly cookies? IE supports this, and lots of our sites requi...
application delivery
dev
devops
iRules
Joel_Moses's avatar
Joel_Moses
Icon for Nimbostratus rankNimbostratus
Sep 20, 2006
Okay, so the long and short of it is, if you want to enable this functionality:

 

 

http://msdn.microsoft.com/library/default.asp?url=/workshop/author/dhtml/httponly_cookies.asp

 

 

... then you need to construct your cookie manually in HTTP_RESPONSE using HTTP::header Set-Cookie instead of HTTP::cookie. The reason is, although the F5 can manipulate attributes on cookies, it doesn't support setting HttpOnly as a valid attribute -- nor does it support adding arbitrary attributes to cookies.

 

 

So, instead of "HTTP::cookie insert COOKIE somevalue version 1":

 

 

HTTP::header insert "Set-Cookie" "COOKIE=somevalue;Version=1;Secure;HttpOnly"

 

 

is really the only way to set a cookie with this attribute.

 

 

It would be nice if you could set custom attributes -- yeah, it's non-standard, but the standard allows for User-Agents to discard silently non-standard values, so it's at least safe.