For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MSK_222682's avatar
MSK_222682
Icon for Nimbostratus rankNimbostratus
Feb 01, 2016

Multiple Secure and HttpOnly attributes seen for cookie

Hi, I ran a curl command from a linux machine to a URL (on https) which is hosted on our BIG IP LTM. This virtual server has been set to add Secure, HttpOnly attributes to the cookie. However, I s...
application delivery
BIG-IP
iRules
Kai_Wilke's avatar
Kai_Wilke
Icon for MVP rankMVP
Feb 03, 2016

Hi Sai,

this is the iRule i was refering to...

when HTTP_RESPONSE {
    foreach mycookie [HTTP::cookie names] {
        HTTP::cookie secure $mycookie enable
        HTTP::cookie httponly $mycookie enable
    }
}

Note: The backend doesn't have to deal with those additional flags. Those flags are only send to the client to instruct the browser how to protect the cookie. But it has still the potential to break your application in the case you're not using HTTPS to access the application (Secure flag) or if your Application uses JScript or other client side features to read the cookie values (HttpOnly flag).

Cheers, Kai