Forum Discussion

Jos__233__Manue's avatar
Icon for Nimbostratus rankNimbostratus
Sep 29, 2011

HTTP::cookie httponly enable doesn't seem to do anything

On LTM v10.2 setting "HTTP::cookie httponly enable" has no effect.



On the wiki, it says this is for v11 only, but it seems to be recognized. Also, there's no more information about this command on the wiki




This is an application that can be accessed through two different URLs and I want to set the path and add secure an httponly attributes.




The iRule is hte following:






set add_persist 1


set cookie_path "/"










if { [HTTP::cookie exists "JSESSIONID"] } {


persist uie [HTTP::cookie "JSESSIONID"]


} else {


set jsess [findstr [HTTP::uri] "jsessionid" 11 ";"]


if { $jsess != "" } {


persist uie $jsess






switch -glob [HTTP::path] {


"/url1*" {


set cookie_path "/url1"




"/url2*" {


set cookie_path "/url2"












if { [HTTP::cookie exists "JSESSIONID"] and $add_persist } {


HTTP::cookie path "JSESSIONID" $cookie_path


HTTP::cookie secure "JSESSIONID" enable


HTTP::cookie httponly enable


persist add uie [HTTP::cookie "JSESSIONID"]


set add_persist 0









The Set-Cookie does not add httponly, just secure and path.




Any ideas on how to enable httponly this way? Or should I generate the Set-Cookie header directly?


1 Reply

  • Hi Jose,



    The httponly option was added in v11 and shouldn't work in past versions. You'd need to modify the Set-Cookie header to append it in pre-v11.