For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

alkjones_3684's avatar
alkjones_3684
Icon for Nimbostratus rankNimbostratus
Jul 15, 2012

'secure' and httponly' attribute for aspsessionid* cookies

ive searched for various terms here and found nothing so apologies if im doubling up a question thats already been answered numerous times.     I need to set secure and httponly attributes on as...
application delivery
dev
devops
iRules
alkjones_3684's avatar
alkjones_3684
Icon for Nimbostratus rankNimbostratus
Jul 15, 2012
the solution provided by a rather awesome support engineer:

 

 

when HTTP_RESPONSE { set myValues [HTTP::cookie names] foreach mycookies $myValues { if { [HTTP::cookie expires $mycookies] eq "" }{ set mypath [HTTP::cookie path $mycookies] set myvalue [HTTP::cookie $mycookies] HTTP::cookie remove $mycookies HTTP::cookie insert name $mycookies value $myvalue version 1 HTTP::cookie httponly $mycookies enable HTTP::cookie secure $mycookies enable if { $mypath ne "" } { HTTP::cookie path $mycookies $mypath } } else { HTTP::cookie secure $mycookies enable } } }

 

 

its late, so you can do the formatting yourself..

 

 

NOTE -

 

 

Duplicate cookies will definitely give you problems when using this irule.

 

NON-RFC compliant cookies will probably give you a problem when using this irule..

 

 

Cheers

 

Alastair