'secure' and httponly' attribute for aspsessionid* cookies

ive searched for various terms here and found nothing so apologies if im doubling up a question thats already been answered numerous times.

 

 

I need to set secure and httponly attributes on aspsessionid* cookies.

 

 

this:

 

 

when HTTP_RESPONSE {

 

foreach cookie [HTTP::cookie names] {

 

HTTP::cookie secure $cookie enable

 

}

 

}

 

 

works fine at setting the secure attribute

 

 

this however:

 

 

when HTTP_RESPONSE {

 

foreach cookie [HTTP::cookie names] {

 

HTTP::cookie secure $cookie enable

 

HTTP::cookie httponly $cookie enable

 

}

 

}

 

 

completely denies access to the site - I dont even get to the logon page of my application.

 

 

I VERY MUCH need to set both value on my cookies or my pen test tomorrow is not going to go well for me..

 

 

this rule - written as part of F5 consultauing services - DOES set both attributes, but does a load of other suff that prevents access to one of my application that is very about what is passed through in the header:

 

 

when HTTP_REQUEST {

 

HTTP::header replace "User-Agent" "[HTTP::header User-Agent] IPSOURCE: [IP::client_addr]"

 

}

 

 

when HTTP_RESPONSE {

 

foreach cookie [HTTP::cookie names] {

 

set value [HTTP::cookie value $cookie]

 

set path [HTTP::cookie path $cookie]

 

set domain [HTTP::cookie domain $cookie]

 

 

HTTP::cookie remove $cookie

 

HTTP::cookie insert name $cookie value $value version 1

 

if { $path ne "" } { HTTP::cookie path $cookie $path }

 

if { $domain ne "" } { HTTP::cookie domain $cookie $domain }

 

 

HTTP::cookie secure $cookie enable

 

HTTP::cookie httponly $cookie enable

 

}

 

}

 

 

 

any help would be gratefully appreciated - yes I HAVE rebooted my kit so as not to be caught out by the 49 day bug ( or whatever the time frame is..)

 

 

goign round in circles and frankly starting to lose my mind..

 

 

Cheers

 

Alastair

 

(F5 3900 X2 LTM 11.1 HF1)