How to set secure and httponly flag on all cookies

There's a few examples around, but please see this post:

https://devcentral.f5.com/questions/how-to-properly-insert-httponly-and-secure-cookie-directives

it seems HTTP::cookie version does not work.

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when HTTP_RESPONSE {
  set myValues [HTTP::cookie names]
  foreach mycookies $myValues {
    HTTP::cookie version $mycookies 1
    HTTP::cookie secure $mycookies enable
    HTTP::cookie httponly $mycookies enable
  }
}
}

[root@ve11a:Active:Changes Pending] config  cat /var/log/ltm
Aug 28 09:06:56 ve11a err tmm[1091]: 01220001:3: TCL error: /Common/myrule  - Illegal argument (line 2)     invoked from within "HTTP::cookie version $mycookies 1"     ("foreach" body line 2)     invoked from within "foreach mycookies $myValues {      HTTP::cookie version $mycookies 1     HTTP::cookie secure $mycookies enable     HTTP::cookie httponly $mycookies en..."

so, i remove cookie if its version is not 1, insert it back and set secure and httponly flgas.

e.g.

root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.20.111:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        http { }
        tcp { }
    }
    rules {
        myrule
    }
    source 0.0.0.0/0
    source-address-translation {
        type automap
    }
    vs-index 23
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync Changes Pending)(Active)(/Common)(tmos) list ltm rule myrule
ltm rule myrule {
    when HTTP_RESPONSE {
  set myValues [HTTP::cookie names]
  foreach mycookies $myValues {
    if { [HTTP::cookie version $mycookies] != 1 } {
      set ckval [HTTP::cookie value $mycookies]
      set ckpath [HTTP::cookie path $mycookies]
      HTTP::cookie remove $mycookies
      HTTP::cookie insert name $mycookies value $ckval path $ckpath version 1
    }
    HTTP::cookie secure $mycookies enable
    HTTP::cookie httponly $mycookies enable
  }
}
}

 to server directly

[root@ve11a:Active:Changes Pending] config  curl -I http://200.200.200.101
HTTP/1.1 200 OK
Date: Wed, 28 Aug 2013 01:01:54 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Set-Cookie: abc=1234; path=/; Secure
Set-Cookie: def=5678; path=/; HttpOnly; Version=1
Set-Cookie: xyz=abcd; path=/; Version=2
Content-Type: text/html; charset=UTF-8

 via bigip

[root@ve11a:Active:Changes Pending] config  curl -I http://172.28.20.111
HTTP/1.1 200 OK
Date: Wed, 28 Aug 2013 01:01:57 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Thu, 23 May 2013 00:28:46 GMT
ETag: "4185a8-59-c3efab80"
Accept-Ranges: bytes
Content-Length: 89
Set-Cookie: def=5678;Secure; path=/; HttpOnly; Version=1
Content-Type: text/html; charset=UTF-8
Set-Cookie: abc=1234;HttpOnly;Secure;Path=/;Version=1;
Set-Cookie: xyz=abcd;HttpOnly;Secure;Path=/;Version=1;

I would just add that if you're going to do it this way, that you need to also capture any possibly existing domain and expires flags so that you accurately represent the intended Set-Cookie.

If you have reached this discussion and are still looking for a solution; this one is worth a read:

How to add Httponly and Secure attributes to HTTP cookies (for 11.5.x)

In version 12 you don't need an irule, because the cookie profile has HTTPOnly and Secure flag options.

Nikoolayy1,

Are you talking about Cookie Persistence Profiles? If so, how would you configure it so that all cookies (without having to know the name of each) are converted to secure? Sadly, I'm not seeing how that's possible. :-(