For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MSK_222682's avatar
MSK_222682
Icon for Nimbostratus rankNimbostratus
Feb 01, 2016

Multiple Secure and HttpOnly attributes seen for cookie

Hi, I ran a curl command from a linux machine to a URL (on https) which is hosted on our BIG IP LTM. This virtual server has been set to add Secure, HttpOnly attributes to the cookie. However, I s...
application delivery
BIG-IP
iRules
Brad_Parker_139's avatar
Brad_Parker_139
Icon for Nacreous rankNacreous
Feb 01, 2016

Try using this iRule. It will not try to set secure or httponly if it is already set. What you are doing to manually changing the cookie payload without inspecting what is already there.

when HTTP_RESPONSE {
    foreach mycookie [HTTP::cookie names] {
        HTTP::cookie secure $mycookie enable
        HTTP::cookie httponly $mycookie enable
    }
}

https://devcentral.f5.com/wiki/iRules.HTTP__cookie.ashx

Brad_Parker_139's avatar
Brad_Parker_139
Icon for Nacreous rankNacreous
Feb 01, 2016
You don't necessarily have to persist on JESSIONID, but if you want to you can using universal persistence. https://support.f5.com/kb/en-us/solutions/public/7000/300/sol7392.html