Forum Discussion

ChrisJ_128794's avatar
ChrisJ_128794
Icon for Nimbostratus rankNimbostratus
May 22, 2014

HTTP::cookie incorrectly marks a insecure cookie as secure if followed by another secure cookie [10.2.4]

We have a public application that failed a security audit when some cookies did not have the secure flag. We had an irule in place to force all cookies in the response to have the secure flag, but it...
application delivery
devops
iRules
LTM
security
What_Lies_Bene1's avatar
What_Lies_Bene1
Icon for Cirrostratus rankCirrostratus
May 23, 2014

Based on the information here the HTTP::cookie command isn't too reliable: https://devcentral.f5.com/questions/how-to-properly-insert-httponly-and-secure-cookie-directives.

I'd highly recommend you use something like this (from that article) but you'll need to add a check to see if those attributes already exist;

set unsafe_cookie_headers [HTTP::header values "Set-Cookie"]
HTTP::header remove "Set-Cookie"

foreach set_cookie_header $unsafe_cookie_headers {  
    HTTP::header insert "Set-Cookie" "${set_cookie_header}; Secure; HttpOnly"
}