For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

matt_12671's avatar
matt_12671
Icon for Nimbostratus rankNimbostratus
Aug 26, 2013

How to properly insert HttpOnly and Secure cookie directives?

My load balancer has an iRule that adds the HttpOnly and Secure cookie directives. The rules is adding the directives multiple times, and in the incorrect places. How can I get the directives added c...
application delivery
devops
iRules
matt_12671's avatar
matt_12671
Icon for Nimbostratus rankNimbostratus
Sep 04, 2013

A co-worker and I figured out something that works for us:

set unsafe_cookie_headers [HTTP::header values "Set-Cookie"]
HTTP::header remove "Set-Cookie"

foreach set_cookie_header $unsafe_cookie_headers {  
    HTTP::header insert "Set-Cookie" "${set_cookie_header}; Secure; HttpOnly"
}
  • matt_12671's avatar
    matt_12671
    Icon for Nimbostratus rankNimbostratus
    Sep 04, 2013
    Evidently, I can't pick my own answer as the answer. If I could, I would pick this.
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Sep 18, 2013
    Be careful about setting the secure attribute if the connection is not HTTPS: http://en.wikipedia.org/wiki/HTTP_cookieCookie_attributes