Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

elandreth_29975's avatar
elandreth_29975
Icon for Nimbostratus rankNimbostratus
Apr 16, 2019

irule to mark cookies httponly/secure - selectively

Hello iRule Wizards, I have an irule that I've grabbed off of devcentral to flag all cookies as secure/httponly. I want to continue flagging all cookies with secure/httponly but only if the cookie...
big-ip
irules
security
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Apr 17, 2019

Hi Elandreth,

 

the iRule is slightly complicated but it should work fine.

 

To add the skip functionality to the iRule you will need to replace the part below...

 

    re-insert in any case (rather then do it selectively on an as-needed per-cookie basis)
   foreach cookie1 $setckval {
    set cookie1 [string trimright [string trimright $cookie1] ";"]

... with the code below ...

 

    re-insert in any case (rather then do it selectively on an as-needed per-cookie basis)
   foreach cookie1 $setckval {
    if { $cookie1 starts_with "XYZ" } then {
        HTTP::header insert "Set-Cookie" $cookie1
        break
    }
    set cookie1 [string trimright [string trimright $cookie1] ";"]

You could also use the quickly written iRule below. Its does the same as the iRule above but using a less complicated syntax...

 

when CLIENT_ACCEPTED {
    set is_ssl [PROFILE::exists clientssl]
}
when HTTP_RESPONSE {
    set cookie_list [HTTP::header values "Set-Cookie"]
    HTTP::header remove "Set-Cookie"
    if { $is_ssl } then {
        foreach cookie $cookie_list {
            switch -glob -- [string tolower $cookie] {
                "xyz*" {
                     Skip cookie starting with XYZ
                }
                "*;*secure*httponly*" - "*;*httponly*secure*" {
                     The cookie has already a Secure and HttpOnly flag...
                }
                "*;*httponly*" {
                    set cookie "[string trimright $cookie "; "]; Secure"
                }
                "*;*secure*" {
                    set cookie "[string trimright $cookie "; "]; HttpOnly"
                }
                default {
                    set cookie "[string trimright $cookie "; "]; Secure; HttpOnly"
                }
            }
            HTTP::header insert "Set-Cookie" $cookie
        }
    } else {
        foreach cookie $cookie_list {
            switch -glob -- [string tolower $cookie] {
                "xyz*" {
                     Skip cookie starting with XYZ
                }
                "*;*httponly*" {
                     The cookie has already a Secure and HttpOnly flag...
                }
                default {
                    set cookie "[string trimright $cookie "; "]; HttpOnly"
                }
            }
            HTTP::header insert "Set-Cookie" $cookie
        }
    }
}

Cheers, Kai