Forum Discussion

Nimbostratus

Dec 29, 2015

httponly and secure cookie attributes in application vs. ASM cookies on v11.4.1

Vulnerability scanners in our environment have flagged applications as needing the httponly and secure attributes set so I started investigating what I needed to do. I discovered the ASM cookie sett...

Historic F5 Account

Jan 03, 2016

I don't think the ASM cookies have any specific login / session info. https://support.f5.com/kb/en-us/solutions/public/6000/800/sol6850.html. Primarily it would be app cookies, specifically the ones used for login / session.

The scan tool should tell you the cookies it doesn't like. You'll have to do some leg work to validate what the cookie is used for. If it is simply holding the background color the user likes for the kitty pictures, you probably don't need a secure flag.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

httponly and secure cookie attributes in application vs. ASM cookies on v11.4.1

Recent Discussions

loose login access when license expires

पेटीएम कस्टमर केयर नंबर

मैं शिकायत के लिए मीशो से कैसे संपर्क करूं?

Implementing Multi-Step Authentication with Separate Brute-Force Protections

IMAP-S External Health monitor

Related Content

SAML attributes

set HTTPOnly in cookie

Automating Application Deployment with BIG-IQ

Automate Application Delivery with F5 and HashiCorp Terraform and Consul

AD attributes in SAML assertion

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS