Forum Discussion
matt_12671
Nimbostratus
NimbostratusHow to properly insert HttpOnly and Secure cookie directives?
My load balancer has an iRule that adds the HttpOnly and Secure cookie directives. The rules is adding the directives multiple times, and in the incorrect places. How can I get the directives added c...
Kevin_Stewart
Employee
EmployeeDepending on your application and LTM version, sometimes this is the easiest thing to do:
when HTTP_RESPONSE {
foreach aCookie [HTTP::cookie names] {
HTTP::cookie secure $aCookie enable
HTTP::cookie httponly $aCookie enable
}
}
I have seen problems with this though when the server sends an incompatible cookie version. Here then is a more brute-force way of adding the secure and httponly options to response Set-Cookie headers:
when SERVER_CONNECTED {
TCP::collect
}
when SERVER_DATA {
set indices [regexp -all -inline -indices {Set-Cookie: [^\r]+} [TCP::payload]]
set cookielist [list]
foreach idx $indices {
lappend cookielist [string range [TCP::payload] [lindex $idx 0] [lindex $idx 1]]
}
foreach x $cookielist {
if { not ( [string tolower $x] contains "secure" ) and not ( [string tolower $x] contains "httponly" ) } {
if { [regsub $x [TCP::payload] [string map {"path=" "secure; httponly; path="} $x] newdata] } {
TCP::payload replace 0 [TCP::payload length]] ""
TCP::payload replace 0 0 $newdata
}
} elseif { not ( [string tolower $x] contains "secure" ) } {
if { [regsub $x [TCP::payload] [string map {"path=" "secure; path="} $x] newdata] } {
TCP::payload replace 0 [TCP::payload length]] ""
TCP::payload replace 0 0 $newdata
}
} elseif { not ( [string tolower $x] contains "httponly" ) } {
if { [regsub $x [TCP::payload] [string map {"path=" "httponly; path="} $x] newdata] } {
TCP::payload replace 0 [TCP::payload length]] ""
TCP::payload replace 0 0 $newdata
}
}
}
TCP::collect
TCP::release
}
It grabs all of the Set-Cookie headers into a list and then parses them individually to find existing secure and httponly options, replacing the payload if the options don't exist.
