Forum Discussion
NimbostratusHow to set HTTPOnly in cookie when HTTP::response & make the session persist on that cookie
I need to insert secure cookie in HTTP:response and then make session persist on that cookie.
Any Ideas !!
8 Replies
Cory_50405Noctilucent
There are some good threads on here about this topic. Here's one that should help you:
https://devcentral.f5.com/questions/cookie-persistence-sendfor-http-only
And to set the secure attribute:
http://support.f5.com/kb/en-us/solutions/public/11000/300/sol11324
Sumit_sam_14525Thanks for the quick reply, can you suggest How to set HTTPOnly in cookie when HTTP::request ?
- Cory_50405
Within the thread I linked, Aaron posted this iRule:
when HTTP_RESPONSE { Check if the response contains the persistence cookie if {[HTTP::cookie BIGipServerMy_Http_Pool] ne ""}{ Set the httponly flag on the persistence cookie if it is in the response HTTP::cookie httponly BIGipServerMy_Http_Pool enable } }Some more details on HTTP cookie information and manipulation:
- Sumit_sam_14525
Thank you for taking time and interest in my post, Appreciate your help !
- Sumit_sam_14525
I added following irule for enabling secure flag, but it ended up blocking access to website & I get page cannot be displayed !
when HTTP_RESPONSE { Check if the response contains the test cookie
if {[HTTP::cookie test_Cookie]}{ Set the httponly & secure flag on the persistence cookie if it is in the response HTTP::cookie httponly test_Cookie enable HTTP::cookie secure test_Cookie enable }}
Any Ideas what could've caused this ?
- Sumit_sam_14525
Tried few more following combinations, had no luck.
a)
when HTTP_RESPONSE { Check if the response contains the persistence cookie
if {[HTTP::cookie test_Cookie] ne ""}{ Set the httponly & secure flag on the persistence cookie if it is in the response HTTP::cookie httponly test_Cookie enable HTTP::cookie secure test_Cookie enable }}
b)
when HTTP_RESPONSE {
Set the httponly & secure flag on the persistence cookie if it is in the response HTTP::cookie version test_Cookie 1 HTTP::cookie httponly test_Cookie enable HTTP::cookie secure test_Cookie enable }}
Any ideas where am I heading wrong ?
- Sumit_sam_14525
I'm able to add secure flag with following simple Irule,
when HTTP_RESPONSE { set myValues [HTTP::cookie names] foreach mycookies $myValues { HTTP::cookie secure $mycookies enable } }
However, if I try to add httponly flag in the same irule it doesn't works.
when HTTP_RESPONSE { set myValues [HTTP::cookie names] foreach mycookies $myValues { HTTP::cookie secure $mycookies enable HTTP::cookie httponly $mycookies enable } }
I tried adding version 1 option also, no luck. Any quick help will be appreciated.
- Sumit_sam_14525
For everyone's reference, I've fixed the issue with following irule.
when HTTP_RESPONSE { HTTP::cookie secure "JSESSIONID" enable set ck [HTTP::header values "Set-Cookie"] HTTP::header remove "Set-Cookie" foreach acookie $ck { if {$acookie starts_with "JSESSIONID"} { HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly" } else { HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly" } } }
