For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Tabish_Mirza_12's avatar
Tabish_Mirza_12
Icon for Nimbostratus rankNimbostratus
Jan 27, 2014

Cookie Persistence “Secure” and “HTTP Only”

Hi Folks,

 

We are looking to configure “Secure” and “HTTP Only” cookie persistence. We need to know how to configure it & apply with Virtual Server. We configured Cookie persistence with HTTP Cookie Insert method type but I believe this is not a right way to set secure & HTTP Only cookie. We are getting following output with current setting which is not right. Please advise how to set “Secure” and “HTTP Only”

 

Set-Cookie: BIGipServer_WEB_Servers_Pool=20293824.20480.0000; path=/

 

Thanks

 

application delivery
availability
devops
iRules

6 Replies

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jan 27, 2014

    At a minimum you could do something like this:

    when HTTP_RESPONSE {
    foreach x [HTTP::cookie names] {
        if { $x starts_with "BIGipServer" } {
            HTTP::cookie remove $x
            HTTP::cookie insert name $x value [HTTP::cookie $x] path "/" version 1
            HTTP::cookie secure $x enable
            HTTP::cookie httponly $x enable
        }
    }
}
  • Tabish_Mirza_12's avatar
    Tabish_Mirza_12
    Icon for Nimbostratus rankNimbostratus
    Jan 27, 2014

    Hi Kevin,

     

    Many thanks indeed for your response.

     

    Do I need to modify this or i can copy same in to irule text editor & apply it? Moreover how can I attach the irule with VS? Do I need to create universal persistence profile & call irule on it & then apply under VS default persistence profile or something else ? I am running BIG-IP version 11.4

     

    Your prompt response highly appreciate.

     

    Many thanks indeed for your help once again.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jan 27, 2014

    If you're just trying to set the secure and httponly flags on the BIGipServer persistence cookie, then you can add this iRule as is to a virtual server. It works with a default cookie persistence profile. Copy the above iRule text to a new iRule (Local Traffic - iRules - Create). Apply the iRule to the virtual server along with the default "cookie" persistence profile.

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jan 28, 2014

    Ahh. Minor oversight.

    when HTTP_RESPONSE {
    foreach x [HTTP::cookie names] {
        if { $x starts_with "BIGipServer" } {
            set ckname $x
            set ckvalue [HTTP::cookie value $x]
            HTTP::cookie remove $x
            HTTP::cookie insert name $ckname value $ckvalue path "/" version 1
            HTTP::cookie secure $ckname enable
            HTTP::cookie httponly $ckname enable
        }
    }
}
  • IheartF5_45022's avatar
    IheartF5_45022
    Icon for Nacreous rankNacreous
    Jan 29, 2014

    If applied to the virtual on which the cookie is inserted, you can get away with this (it takes advantage of the fact that "HTTP::header replace" affects only the last instance of a given header);-

    when HTTP_RESPONSE {
    if {[HTTP::cookie exists "cookiename"} {
        HTTP::header replace Set-Cookie "[HTTP::header value Set-Cookie];HttpOnly;Secure"
    }
}
  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Jul 14, 2015

    I tried to use this and got the error: 01070151:3: Rule [secure_cookie] error: line 9: [wrong args] [HTTP::cookie httponly $ckname enable] I am clueless on irules and not sure how to fix it. Please advise...

     

    What BIG-IP version are you on? The httponly option was added in v11.