Forum Discussion

SamiK_85475's avatar
SamiK_85475
Icon for Nimbostratus rankNimbostratus
Sep 02, 2010

Internal parameters for HTTPOnly and Secure cookies

Hello,

 

 

I've been looking for a iRule to set those parameters for cookies leaving the BIGIP, but now ran into ASM 10.2 release notes claiming there are two new internal parameters excatly for this. I just don't know how to turn those on?

 

 

Thanks,

 

Sami

 

 

http://support.f5.com/kb/en-us/prod...0_2_0.html

 

 

Fixes in this release This release includes the following fixes.

 

....

 

 

Cookie internal parameters added (CR131850) There are two more internal parameters, not available in the Configuration utility.

 

 

• Cookie_secure_attr: Cookie secure special attribute. If you set this parameter’s value to 1, the system adds a secure attribute to each Application Security Manager cookie in the response. The system adds the secure attribute only when the traffic protocol is HTTPS. This prevents the network from sniffing the cookie. The parameter’s default value is 0 (false).

 

 

• Cookie_httponly_attr: Cookie HTTPOnly special attribute. If you set this parameter’s value to 1, the system adds the HTTPOnly attribute to each Application Security Manager cookie in the response. This instructs the browser to restrict JavaScript access to that cookie. This mitigates the risk of someone picking up that cookie using XSS. The parameter’s default value is 0 (false).
config
design
  • samstep's avatar
    samstep
    Icon for Cirrocumulus rankCirrocumulus
    Mar 24, 2011
    The answer is in the Release Notes:

     

     

    To add and change the default settings of these parameters, open the command line, and use the add_del_internal script, in the following format:

     

    /usr/share/ts/bin/add_del_internal add

     

     

    To delete an internal parameter from your configuration, from the command line, enter the following command:

     

    /usr/share/ts/bin/add_del_internal del

     

     

    After adding or deleting an internal parameter, you must enter and run the command bigstart restart asm in order for the changes to take effect.
  • Lalo_Calvillo_2's avatar
    Lalo_Calvillo_2
    Icon for Nimbostratus rankNimbostratus
    Nov 24, 2011
    Thank you very much for this tip. I was trying different ways to turn on the COOKIE SECURE FLAG, but this is what I needed.

     

     

    In another hand, how much time it takes for the ASM module to be up after the restart.

     

     

    Regards.
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Nov 25, 2011
    In another hand, how much time it takes for the ASM module to be up after the restart. i never counted but i do not think it takes too long. maybe it is less than 5 minutes.