For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Mark_Wallis_833's avatar
Mark_Wallis_833
Icon for Nimbostratus rankNimbostratus
Apr 13, 2010

Cookies - HttpOnly, Secure and ASM

Hi,     I'm trying to use the iRule code below in our HTTP_RESPONSE event to ensure that the secure flag is enabled on all our outgoing Set-Cookie's.     foreach a_cookie [HTTP::coo...
application delivery
dev
devops
iRules
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Apr 13, 2010
Hi Mark,

 

 

A few suggestions/notes:

 

 

It seems like a bug if you're setting the secure option on a cookie and then finding a cookie named HttpOnly. I'd suggest opening a case with F5 Support to have them confirm and document this issue.

 

 

HTTP_RESPONSE fires before the request is sent to ASM. So you'll need to use a "creative workaround" if you want to use an iRule to inspect and/or modify the response after ASM handles it. The workaround is described in SOL9388:

 

 

SOL9388: Using an iRule to parse post-ASM responses

 

https://support.f5.com/kb/en-us/solutions/public/9000/300/sol9388.html

 

 

I've had several customers balk at doing this because of the added complexity of the configuration. I'd suggest opening a case with F5 Support and ask them to add this functionality to the product without resorting to creating a second VS. If you do so and get a Change Request number, could you reply back with it so others can reference it?

 

 

Thanks, Aaron