Forum Discussion

Moinul_Rony's avatar
Moinul_Rony
Icon for Altostratus rankAltostratus
Jan 21, 2015

Configure the Domain cookie attribute which instructs web browsers to only send the cookie to the specified domain and all subdomains

Hi,   Can we configure the "Domain" Cookie via ASM or iRule ? This is a PCI security requirement that we have to impose.   We just need a Domain attribute in the session cookie. Currently sinc...
application delivery
ASM Advanced WAF
citrix
devops
iRules
LTM
security
Michael_Jenkins's avatar
Michael_Jenkins
Icon for Cirrostratus rankCirrostratus
Jan 21, 2015

Basically, this is what we are using (though we also have an iRule that intercepts logoff pages to ensure removal of these cookies too). I think we set a variable in access policy completed to check here and do this so you don't have it adding every time, just when the policy completes and the user is logged in.

when HTTP_RESPONSE_RELEASE {
     Might could use HTTP_RESPONSE instead of HTTP_RESPONSE_RELEASE

    set sid [ACCESS::session sid]
    set domaininfo ".[domain [HTTP::host] 2]"
     Domain needs the prefixed "."

    HTTP::cookie insert name "MRHSession" value $sid path "/" domain $domain
    HTTP::cookie insert name "LastMRH_Session" value [substr $sid [expr [string length $sid] - 8]] path "/" domain $domain
}