For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

riverj30_77570's avatar
riverj30_77570
Icon for Nimbostratus rankNimbostratus
Jun 04, 2014

F5/Oracle Access Manager - How to manipulate response to remove "httponly" from ObSSOCookie

Hi All,   is there a way to manipulate the response header for the F5 AccessGate? Currently we have configured Oracle Access Manager on our Staging F5 and are faced with the following issue:   ...
application delivery
devops
iRules
riverj30_77570's avatar
riverj30_77570
Icon for Nimbostratus rankNimbostratus
Jun 10, 2014

I was able to remove the httponly from the ObSSOCookie which is set by F5 by looking at the "HTTP_RESPONSE_RELEASE" even... below is my sample irule

 

when HTTP_RESPONSE_RELEASE {

 

log all cookies set cookieNames [HTTP::cookie names] foreach aCookie $cookieNames { log local0. "header is: [HTTP::header Set-Cookie]" }

 

change httponly on a cookie if { [HTTP::header Set-Cookie] contains "ObSSOCookie" } { HTTP::header replace Set-Cookie [string map -nocase {"; httponly" ""} [HTTP::header Set-Cookie]]

 

}

 

}