Mark cookie as secure

Hi DaveC,

Sure, you can do that. Try this:

when HTTP_RESPONSE {
set cookies [HTTP::cookie names]
 Loop through each cookie by name in request
foreach aCookie $cookies {
 Replace cookie name from list and set Secure Flag to Enable
HTTP::cookie secure $aCookie enable
}
}

Hope this helps.

Hi Michael,

 

 

Thanks for the response. It deosn't appear to e working. I copied my existing 443 VS and applied the rule to the copy, but the cookie appears unchanged.

 

 

This is what I get;

 

Set-Cookie: ASPSESSIONIDASTACBAT=JFALACPAOAOKCFJDEBIJGEIM; path=/

 

 

But this is what I need;

 

Set-Cookie: ASPSESSIONIDASTACBAT=JFALACPAOAOKCFJDEBIJGEIM; path=/; secure

 

 

Dave

 

You will have to take a look at the entire session in a tool like Fiddler2 to see it.

The Secure Flag is only ever set on the response at the beginning of the session to let the client know that the cookie(s) should only be utilized in an HTTPS Tunnel.

If you want to see it in the log you can add a logging statement and it will log it to the LTM Log for additional verification:

when HTTP_RESPONSE {
    set cookies [HTTP::cookie names]
     Loop through each cookie by name in request
    foreach aCookie $cookies {
log local0. "Cookie Name: $aCookie being secured."
         Replace cookie name from list and set Secure Flag to Enable
        HTTP::cookie secure $aCookie enable
    }
}

If you would like additional information you can see the Wiki Page for HTTP::cookie that covers the secure flag.

HTTP::cookie secure [enable | disable]

Sets or gets the value of the "secure" attribute. Applies to responses only. 'HTTP::cookie secure ' returns "enable" or "disable" depending on whether the secure flag is set. If 'HTTP::cookie secure enable' is used on a cookie which already has the secure flag set, no change is made to the cookie.

Hope this helps.

Hey Michael,

 

 

I had tested incorrectly. I was having a bad day yesterday. The rule you sent me does exactly what I neeed. Thanks for all your help.

 

 

Dave