Forum Discussion

Seckin_149390's avatar
Seckin_149390
Icon for Nimbostratus rankNimbostratus
Jun 03, 2018

Secure & HTTP Only Flag on Cookie

Hi Everyone,

 

I' m confused about secure and http only flag in cookie persistence. I have tried several things in my test environment and results as follows;

 

When i use default cookie persistence with no irule, first surely no cookie on http request but http response has special F5 cookie with secure and http only attribute. (Expected Results)

 

But, in the second attempt (refrest the page) there is no cookie on the http response and there is a F5 cookie on the http request with no secure and http only attribute. (I'am not sure is this expected result !)

 

On my third attempt, i have used irule as follows;

 

when HTTP_RESPONSE { foreach x [HTTP::cookie names] { HTTP::cookie remove $x HTTP::cookie insert name $x value 3884388362.47873 path "/" version 1 HTTP::cookie secure $x enable HTTP::cookie httponly $x enable } }

 

The irule works fine and for all cookies on http response, adds secure flag. But still no secure flag on http requests, is that normal ???

 

Please check my results here;

 

http response with irule = Set-Cookie: JSESSIONID=3884388362.47873;Path=/;Version=1;Secure;Httponly

 

http request with irule = Cookie: JSESSIONID=3884388362.47873

 

Kind Regards,

 

application delivery
LTM
  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Jun 04, 2018

    Hi,

     

    Flags are only in response, not in requests...

     

    These flags are to define when use the cookie.

     

    If persistence is define without expiration time, it is a session cookie which mean there is no need to send in each responses if the client sent it and the value is still the same.

     

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Jun 04, 2018

    Hi,

    As a reminder, a cookie is usually created on the browser at the request of the web server to store a report, which will then be retransmitted on the next requests. For this purpose, 

    the web server uses the Set-Cookie header in an HTTP response
    .

    So about your asked, Should the request cookies have the secure flag set?

    It doesn't really work that way. The flags are only present in the Set-Cookie header (the response).

    When the client (a browser) receives a Set-Cookie header, it will store the flags together with the cookie value, but only for its own usage (so that the browser itself can know when and where to send the cookie value if necessary).

    The Cookie header (request) cannot contain flags; it is only a list of = pairs and when you (the server) receive them, you're not even guaranteed to have set them yourself.

    However, excluding the possibility of really horrible browser bugs, you can be sure that if you set the "secure" flag for a cookie in your response, the receiving browser won't send it over a non-encrypted connection. It's not really 100% guaranteed, but it's really the only option you have and the pretty much the whole web relies on browsers behaving properly, so you're not alone in that.

    So your behaviour is normal.

    hope it's clear. keep me in touch!!! regards,