Forum Discussion
NimbostratusSecure flag for cookie
Hi all we have a settings for secure flag for cookies as below but somehow in the screenshot it doesn't really show that the cookie are secure. Am I missing something on the settings ? Our security scanner doesn't pick up any vulnerabilities with this settings.
Before secure flag
After secure flag, it seem the secure flag session appear on the third line and doesn't encrypt the app session in the first or second line
- Samir
MVP
Per Screen shot, its seems you are encrypting cookie not adding secure flag.
when HTTP_RESPONSE { set COOKIE_VAL [HTTP::header values "Set-Cookie"] HTTP::header remove "Set-Cookie" foreach COOKIE_NAME $COOKIE_VAL { HTTP::header insert "Set-Cookie" "${COOKIE_NAME}; Secure; HttpOnly" } }
Doran_LumThank you this worked. With this, do I still need to enable the Session Cookie as above ?
rob_carrCirrocumulus
The secure flag governs what type of connection a cookie is submitted over (when the secure flag is set, HTTPS only, if secure flag isn't set, HTTP or HTTPS), not if the content of the cookie is encrypted or not.
Encryption is governed by the 'Encrypt Cookies' and 'Cookie Encryption Passphrase' settings of the HTTP profile, or in the case where you are using Cookie-based persistence the 'Cookie Encryption Use Policy' and 'Encryption Passphrase' setting in the persistence profile.
For the HTTP profile based cookie encryption to work, you need to provide one or more cookie names, which the BIG-IP will encrypt the contents of prior to forwarding to the client. Are you sure you provided names that match the cookies in use?
- Doran_Lum
Thank you for your explanation. Based on the above, at where will this name (.ASPXFORNSAUTH and ASP.NET_SessionId) be determine or set ?
And across all different application it will require a different persistence cookie profile because of the different cookie name ?
