For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MSK_222682's avatar
MSK_222682
Icon for Nimbostratus rankNimbostratus
Feb 01, 2016

Multiple Secure and HttpOnly attributes seen for cookie

Hi, I ran a curl command from a linux machine to a URL (on https) which is hosted on our BIG IP LTM. This virtual server has been set to add Secure, HttpOnly attributes to the cookie. However, I s...
application delivery
BIG-IP
iRules
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Feb 01, 2016

Hi Sai,

the problem is caused by those cookies, who already have the "; Secure" and/or "; HttpOnly" option set.

To flush any existing cookie options, you could use a 

[substr ${set_cookie_header} 0 ";"]
while substituting the new options...

when HTTP_RESPONSE {
    set unsafe_cookie_headers [HTTP::header values "Set-Cookie"]
    HTTP::header remove "Set-Cookie"
    foreach set_cookie_header $unsafe_cookie_headers {  
        HTTP::header insert "Set-Cookie" "[substr ${set_cookie_header} 0 ";"]; Secure; HttpOnly"
    }
}

Update: My update is still working... hehe^^ You should take a look to Brads approach. Although my iRule would work (in most cases), Brads approach is even more safe to use....

Cheers, Kai