Forum Discussion

diana_24252's avatar
diana_24252
Icon for Nimbostratus rankNimbostratus
Apr 02, 2009

Need iRule to enable "secure" attribute on cookies

ASP.NET application is sending 4 cookies to the client and they are not marked "secure" (i.e., the cookies don't have the attribute that tells the client PC to send the cookies only over an SSL connection). The cookies do not need to be encrypted, they just need to have the "secure" attribute enabled. I found this:

 

 

when HTTP_RESPONSE

 

{

 

foreach cookiename [HTTP::cookie names]

 

{

 

HTTP::cookie secure $cookiename enable;

 

}

 

}

 

 

but I am not sure how to convert it to a working iRule for our situation.

 

The cookie names are as follows:

 

 

ASP.NET_SessionId

 

.ASPXAUTH

 

VenueDLA

 

.ASPXCOOKIEAUTH-VenueRRDAdmin

 

 

This is for a LTM 3400, BIG-IP 9.3.0 Build 178.5

 

 

Thank you!
application delivery
dev
devops
iRules

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 02, 2009
    Something like this? 

     
 when HTTP_RESPONSE { 
    foreach cookiename [list ASP.NET_SessionId .ASPXAUTH VenueDLA .ASPXCOOKIEAUTH-VenueRRDAdmin] { 
       HTTP::cookie secure $cookiename enable; 
    } 
 }

    Aaron
  • diana_24252's avatar
    diana_24252
    Icon for Nimbostratus rankNimbostratus
    Apr 03, 2009
    Thank you Aaron! I got word from the app team that the iRule worked. I am wondering if we can use classes as it will be more convinient to add and remove cookie names if need be?
  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 06, 2009
    Sure, it's possible to read the class entries instead of a list in the iRule. You could change the [list cookie1 cookie2...] to $::class_name.

     

     

    Aaron