Forum Discussion

DaveC_53879's avatar
DaveC_53879
Icon for Nimbostratus rankNimbostratus
Dec 15, 2011

Mark cookie as secure

We have 2 virtual servers for an IIS site, one for http and the other for https, but they use the same pool on port 80. Is there a way to mark all of session cookies leaving the https VS as secure s...
application delivery
dev
devops
iRules
Michael_Yates's avatar
Michael_Yates
Icon for Nimbostratus rankNimbostratus
Dec 15, 2011
You will have to take a look at the entire session in a tool like Fiddler2 to see it.

The Secure Flag is only ever set on the response at the beginning of the session to let the client know that the cookie(s) should only be utilized in an HTTPS Tunnel.

If you want to see it in the log you can add a logging statement and it will log it to the LTM Log for additional verification: 


when HTTP_RESPONSE {
    set cookies [HTTP::cookie names]
     Loop through each cookie by name in request
    foreach aCookie $cookies {
log local0. "Cookie Name: $aCookie being secured."
         Replace cookie name from list and set Secure Flag to Enable
        HTTP::cookie secure $aCookie enable
    }
}

If you would like additional information you can see the Wiki Page for HTTP::cookie that covers the secure flag.

HTTP::cookie secure [enable | disable]

Sets or gets the value of the "secure" attribute. Applies to responses only. 'HTTP::cookie secure ' returns "enable" or "disable" depending on whether the secure flag is set. If 'HTTP::cookie secure enable' is used on a cookie which already has the secure flag set, no change is made to the cookie.

Hope this helps.