Cookies with Duplicate Names, but different values not getting Secure and HttpOnly attributes set

Hi jba3126 

I have a few thoughts on this. You might try to debug the contents of the [HTTP::cookie names] function by feeding its output into the log command, and observe the returned names.

I did spot an older forum post which parses the HTTP headers directly instead of using the HTTP::cookie function: https://community.f5.com/t5/technical-forum/http-cookie-how-can-i-handle-cookies-with-duplicate-names-but/m-p/271656 I repasted it with cleaned up formatting here. Modify the logic to match on whichever cookie names you need to modify.

when HTTP_RESPONSE {
    set CookieCounter 0
    foreach SetCookieHeader [HTTP::header values Set-Cookie] {
        incr CookieCounter
        log local0. "Saving Set-Cookie header value in array, index number = $CookieCounter, Value = $SetCookieHeader" 
        set CookieArray("$CookieCounter") "$SetCookieHeader"
    } 
    HTTP::header remove "Set-Cookie" 
    log local0. "Removing Set-Cookie HTTP headers" 
    foreach {Index Cookie} [array get CookieArray] { 
        if { $Cookie contains "iPlanetDirectoryPro" } { 
            HTTP::header insert "$Cookie; HttpOnly" 
            log local0. "Inserting cookie - $Cookie; HttpOnly" 
        } else { 
            HTTP::header insert "$Cookie" log local0. "Inserting cookie - $Cookie" 
        }
    }
}

The second item regarding the failing SSO, this may be related to the use of client-side Javascript that may help trigger the logon process. You might try setting each attribute separately to narrow it down, and also check with the application vendor if possible for configuration best practices.