Forum Discussion
Chad_Roberts_21
Nimbostratus
NimbostratusSecuring Cookies
I use a simple rule to add ";Secure" to the end of ever "Set-Cookie" header in a particular app server's response, and it works great for what it was originally intended to do.
when HTTP_RESPONSE {
set setcookie [HTTP::header "Set-Cookie"]
if { (not ($setcookie == "")) and (not ($setcookie contains ";Secure")) } {
HTTP::header replace Set-Cookie "$setcookie;Secure"
}
}It occurred to me recently, though, that the "Set-Cookie" header can contain multiple cookies at once, separated by commas. What I need to do now is check whether a comma exists and add the text to each if there are more than one.
How can I segment out the header if commas exist, make the change when necessary, and reassemble it again?
Shawn_Puckett_8This seems to work on some of my cookies but not all, for example if I use Fiddler to look at the raw response I see:
HTTP/1.1 302 Found
Date: Fri, 06 Jul 2007 14:59:23 GMT
Location: /mysite/default.aspx
Set-Cookie: UserName=jdoe; path=/; HttpOnly
Set-Cookie: .ASPXAUTH=259AE6492D3; path=/; HttpOnly; Secure
So the code sets some but not others.
Any suggestions?
Thanks,
Shawn
Christopher_FunThanks for posting your example, it has been quite helpful.
But I have been playing with this script for an hour or so now and noticed that it only sets the last Set-Cookie in the respose to Secure, Httponly. Any ideas why this may be the case?
Could it be the way our specific IIS server returns the respose?- Shawn_Puckett_8We ended up using a simple solution that seems to work for us:
when HTTP_RESPONSE {
set myValues [HTTP::cookie names]
foreach mycookies $myValues {
HTTP::cookie secure $mycookies enable
}
}
Not sure if that helps. - Christopher_Funspuckett,
Thank you for your help! That did the trick.
Chris