How to configure cookie "secure; http-only;" ?

Question

Hi Folks,
I want to make cookie secure and http only for an SSL url. I have wrote small irule to insert it in header. Does it make sense? Is there any problem we should expect if you are doing it in this way? I saw lot of big irules floating in Devcentral but bit confused now. Please help 🙂
when HTTP_RESPONSE {
        HTTP::header replace Set-Cookie "[HTTP::header value Set-Cookie];HttpOnly;Secure"
    }

-Freeky

yann_desmarest · Answer

Hello,
You can set the secure flag by using the following lines of codes (within HTTP_RESPONSE event) : 
set myValues [HTTP::cookie names]
foreach mycookies $myValues {
    HTTP::cookie secure $mycookies enable
    set value [HTTP::cookie value $mycookies]
    set testvalue [string tolower $value]
    set valuelen [string length $value]
    switch -glob $testvalue {
      "*;httponly*" -
      "*; httponly*" { }
      default { set value "$value; HttpOnly"; }
    }
    if { [string length $value] &gt; $valuelen} {
      HTTP::cookie value $mycookies "${value}"
    }
}

Forum Discussion

How to configure cookie "secure; http-only;" ?

1 Reply

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Not seeing the latest F5OS-A when running Journeys

Related Content

F5 Partner Solution Showcase - "ImmuniWeb - Application Security Testing and Remediation"

How I did it - "Securing Nvidia Triton Inference Server with NGINX Plus Ingress Controller”

How I did it - "Securing NVIDIA’s Morpheus AI Framework with NGINX Plus Ingress Controller”

wccp configuration for SSL Orchestrator

LockBit, Pwc2Own, AI, "Othello is solved" Oct30th to Nov5th, 2023 F5 SIRT This Week in Security

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS