Disable http for Cookie persistance setup

Question

We have a requirement from an IVR vendor to enable Cookie without HTTP. I tried to configure Cookie w/o http and got an error that Cookie persistence requires an HTTP or FastHTTP profile to be associated with the virtual server. Is there a way to fulfill this setup below?&nbsp;

HTTP Cookie
 If the HTTP Cookie persistence type is selected, ensure that the cookie type is
not HTTPOnly (this may be the default type in some NLB models). HTTPOnly
cookies are not available for Java Applets, which also require session stickiness.
 If the HTTP Cookie persistence type is selected, ensure that you determine a
unique cookie name for each service.&nbsp;

aaron_booker · Answer

If you are going to use cookie persistence, for this application running through BIG-IP, it sounds like you need to disable the HTTPOnly Attribute in the cookie persistence profile.
Without the HttpOnly flag a client side script can access the cookie. I should note that the HttpOnly flag protects against XSS attacks. Here is more information:&nbsp;
K83419154: Overview of cookie persistence&nbsp;
OWASP article about HttpOnly&nbsp;

Forum Discussion

Disable http for Cookie persistance setup

Recent Discussions

Statistics ›› Analytics : HTTP : Overview

VS FORWARDING & ROUTE

Diameter iRules attachment?

Source IP F5 DNS Zone Forwarder

F5 BIG-IP

Related Content

Decoding the IPv4 address from the persistence cookie

Disable cookie persistance in irule

How OneConnect Profile works with Cookie Persistence

Persistence Cookie Logging

Persistence Cookie Logger

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS