set HTTPOnly in cookie

have you tried this?

 

 

Setting Cookie "HttpOnly" flag and Expires on Redirect and response (George's reply)

 

https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/2159060/showtab/groupforums/Default.aspx

hello,Nitass

 

I don't want to change the cookie value or cookie domain or expire date

 

only need to add HTTPOnly in some special cookie

when saying HTTP::response, what do you mean? do you craft http response yourself e.g. HTTP::respond command?

 

 

or do you mean HTTP_RESPONSE event?

yes,HTTP_RESPONSE event

 

 

I have cookie which is created by server,but HTTPONLY is not set

 

I only need bigip to set HTTPOnly in some special cookie

e.g.

[root@ve10:Active] config  b virtual bar list
virtual bar {
   snat automap
   pool foo
   destination 172.28.19.79:80
   ip protocol 6
   rules myrule
   profiles {
      http {}
      tcp {}
   }
}
[root@ve10:Active] config  b pool foo list
pool foo {
   members 200.200.200.101:80 {}
}
[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_RESPONSE {
   set ck [HTTP::header values "Set-Cookie"]
   HTTP::header remove "Set-Cookie"

   foreach acookie $ck {
      if {$acookie starts_with "BBB"} {
         HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
      } else {
         HTTP::header insert "Set-Cookie" "$acookie"
      }
   }
}
}

 response from server

[root@ve10:Active] config  curl -I http://200.200.200.101
HTTP/1.1 200 OK
Date: Wed, 22 Aug 2012 08:04:21 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Set-Cookie: AAA=1111; path=/
Set-Cookie: BBB=2222; path=/
Set-Cookie: CCC=1234; path=/
Content-Type: text/html; charset=UTF-8

 via bigip

[root@ve10:Active] config  curl -I http://172.28.19.79
HTTP/1.1 200 OK
Date: Wed, 22 Aug 2012 08:04:28 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Content-Type: text/html; charset=UTF-8
Set-Cookie: AAA=1111; path=/
Set-Cookie: BBB=2222; path=/; HttpOnly
Set-Cookie: CCC=1234; path=/

hello,Nitass

 

you are the man!

 

 

however there is another difficult issue need to work around

 

 

currently there is a irule used to set secure flag of some cookie,

 

WEHN HTTP_RESPONSE {

 

if cookie is xyz

 

[HTTP::cookie ] secure xyz enable

 

else {

 

[HTTP::cookie] secure xyz disable

 

}

 

 

it sems it is difficult to merge them because when insert cookie we need to know whether to consider the secure flag in else syntax

 

}

e.g.

[root@ve10:Active] config  b rule myrule list
rule myrule {
   when HTTP_RESPONSE {
   set ck [HTTP::header values "Set-Cookie"]
   HTTP::header remove "Set-Cookie"

   foreach acookie $ck {
      if {$acookie starts_with "BBB"} {
         HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
      } else {
         HTTP::header insert "Set-Cookie" "$acookie"
      }
   }

   HTTP::cookie secure "BBB" enable
   HTTP::cookie secure "CCC" enable
   HTTP::cookie secure "XYZ" enable
}
}

[root@ve10:Active] config  curl -I http://172.28.19.79
HTTP/1.1 200 OK
Date: Wed, 22 Aug 2012 10:01:00 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
ETag: "4183e4-3e-9c564780"
Accept-Ranges: bytes
Content-Length: 62
Content-Type: text/html; charset=UTF-8
Set-Cookie: AAA=1111; path=/
Set-Cookie: BBB=2222;secure; path=/; HttpOnly
Set-Cookie: CCC=1234;secure; path=/

hmm,I see

 

1:we set the httponly firstly

 

2:then mainpulate the secure flag,

 

 

step 1 doesn't conflict with step 2