Forum Discussion
opediggitty_692
Nimbostratus
Nimbostratushttp_only iRule no longer needed?
We have recently upgraded from a pair of 6400's running 10.2.0 to a pair of 5000s' running 11.4.0 running LTM and ASM. I had thought that at some point in between there that the http_only cookie issue was resolved either in LTM or ASM and that we no longer have to use this irule to fix the issue. Can someone confirm this for me and, if so, shoot me the steps on doing so.
Thanks in advance,
when HTTP_RESPONSE {
foreach cookie [HTTP::cookie names]
{
set value [HTTP::cookie value $cookie];
if { "" != $value }
{
set testvalue [string tolower $value]
set valuelen [string length $value]
log local0. "Cookie found: $cookie = $value";
switch -glob $testvalue {
"*;secure*" -
"*; secure*" { }
default { set value "$value; Secure"; }
}
switch -glob $testvalue {
"*;httponly*" -
"*; httponly*" { }
default { set value "$value; HttpOnly"; }
}
if { [string length $value] > $valuelen} {
log local0. "Replacing cookie $cookie with $value"
HTTP::cookie value $cookie "${value}"
}
}
}
}
3 Replies
Vitaliy_SavransNacreous
Hi,
if you use ASM security policy you can add http_only attribute by:
Security ›› Application Security : Headers : Cookies List ›› Edit Cookieand set
. But be aware that the Application Security will not check the enforcement of this attributeInsert HttpOnly attribute
opediggitty_692Vitaliy,
Thanks for the info. However, can you expand on how or why it doesn't check the enforcement? You are saying that because the iRule is testing it?
Thanks,
- opediggitty_692
Vitaliy,
I was also wondering when this feature in ASM became available. I know we had to use the iRule at some point before but didn't know when they added this feature.
Thanks again,
