Forum Discussion

Nimbostratus

Dec 29, 2015

httponly and secure cookie attributes in application vs. ASM cookies on v11.4.1

Vulnerability scanners in our environment have flagged applications as needing the httponly and secure attributes set so I started investigating what I needed to do. I discovered the ASM cookie sett...

Nimbostratus

Dec 29, 2015

Where are these attributes enforced, on the client? If you insert these attributes via the application cookie properties but not the ASM cookies, will it (client?) still enforce them? Do the ASM cookie attribute settings override the application cookie settings? Could I, in fact, make the case and prove to the vuln scan team (internal, by the way) that the attributes are set if I only enable them on the application cookie? I wish F5 had some kind of flow diagram that showed how the ASM and application cookies worked together. I've read the individual KB articles on the two cookie types, but I can't get my head around the whole flow. I wonder if anyone has experimented with these settings and have some fiddler traces.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

httponly and secure cookie attributes in application vs. ASM cookies on v11.4.1

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

SAML attributes

set HTTPOnly in cookie

AD attributes in SAML assertion

HTTPOnly "attribute and secure "attribute

101 - Application Delivery Fundamentals

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS