I don't think you're explicitly removing the existing cookie before adding a new one. One sort of quirky thing about HTTP cookies is that a unique instance is defined not just by the cookie name, but also a combination of its value, path, expires, and other attributes. So,
Set-Cookie foo=test1;path=/;secure;httponly
Set-Cookie foo=test2;path=/;secure;httponly
Set-Cookie foo=test2;path=/;httponly
Are all separate cookies as far as the browser is concerned. Inserting a cookie with the same name, by virtue of a different "signature", is actually creating a new cookie.
I also typically don't like to set the HttpOnly flag using the HTTP::cookie command because it can behave badly. Instead here's what I would use to replace a given set of cookies and set the secure and HttpOnly flags:
when HTTP_RESPONSE {
foreach aCookie [HTTP::cookie names] {
if the cookie does not already have an HttpOnly attribute
if { ( [HTTP::cookie httponly $aCookie] equals "disable" ) or ( [HTTP::cookie secure $aCookie] equals "disable" ) } {
get cookie value and path
set value [HTTP::cookie value $aCookie]
set path [HTTP::cookie path $aCookie]
get and insert domain if it exists
if { [HTTP::cookie domain $aCookie] ne "" } { set domain "domain=[HTTP::cookie domain $aCookie];" } else { set domain "" }
get and insert expires only if it exists
if { [HTTP::cookie expires $aCookie] ne "" } {
set expires_local [clock format [expr [clock seconds] + [HTTP::cookie expires $aCookie]] -format "%a, %d-%b-%Y %H:%M:%S GMT" -gmt true]
set expires "expires=$expires_local;"
} else {
set expires ""
}
remove the original cookie
HTTP::cookie remove $aCookie
insert a new cookie via HTTP header inject
HTTP::header insert "Set-Cookie" "$aCookie=$value;path=$path;${domain}${expires}secure;HttpOnly;"
}
}
}