Forum Discussion

MSK_222682's avatar
MSK_222682
Icon for Nimbostratus rankNimbostratus
10 years ago

Multiple Secure and HttpOnly attributes seen for cookie

Hi, I ran a curl command from a linux machine to a URL (on https) which is hosted on our BIG IP LTM. This virtual server has been set to add Secure, HttpOnly attributes to the cookie. However, I s...
application delivery
big-ip
irules
Brad_Parker_139's avatar
Brad_Parker_139
Icon for Nacreous rankNacreous
10 years ago

Try using this iRule. It will not try to set secure or httponly if it is already set. What you are doing to manually changing the cookie payload without inspecting what is already there.

when HTTP_RESPONSE {
    foreach mycookie [HTTP::cookie names] {
        HTTP::cookie secure $mycookie enable
        HTTP::cookie httponly $mycookie enable
    }
}

https://devcentral.f5.com/wiki/iRules.HTTP__cookie.ashx

MSK_222682's avatar
MSK_222682
Icon for Nimbostratus rankNimbostratus
10 years ago
Hi Brad, Thanks for the quick response. I shall update my iRule with above one and test again with the user. Also, do you think the presence of JSESSIONID in the server response cookie is causing the problem here ?? I'm of the impression that if server uses JESSIONID for maintaining persistence then we need a explicit iRule to support JESSIONID persistence and override the default persistence mechanism configured at pool level. Do let me know if my understanding is correct ? If so, I may have to create another iRule for this virtual server. Thanks, Sai