For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

AshuA_246482's avatar
AshuA_246482
Icon for Nimbostratus rankNimbostratus
Nov 29, 2017

How to fix secure cookie parameter - finding of pen test

We had a pen test get done on newly deployed application. and one of their finding is   When cookies are set which are used on the encrypted (HTTPS) part of the website, the Secure cookie paramete...
application delivery
LTM
Andy_McGrath's avatar
Andy_McGrath
Icon for Cumulonimbus rankCumulonimbus
Nov 29, 2017

If you cannot update the back end application/web server to add them can do the following in an iRule in the Response.

when HTTP_RESPONSE {
  if {[HTTP::cookie exists “newappcookie”]} {   
    HTTP::cookie secure “newappcookie” enable        
    HTTP::cookie httponly “newappcookie” enable
  }
}

Might also be able to do it using a Policy.

You might also need to set the cookie version to 0 with the following line before setting secure and httponly flags

HTTP::cookie version “newappcookie” 0

Test it with and without see which works.