Forum Discussion

Robert_47833's avatar
Robert_47833
Icon for Altostratus rankAltostratus
Aug 22, 2012

set HTTPOnly in cookie

how to set HTTPOnly in cookie when HTTP::response?

 

 

 

  • e.g.

    [root@ve10:Active] config  b virtual bar list
    virtual bar {
       snat automap
       pool foo
       destination 172.28.19.79:80
       ip protocol 6
       rules myrule
       profiles {
          http {}
          tcp {}
       }
    }
    [root@ve10:Active] config  b pool foo list
    pool foo {
       members 200.200.200.101:80 {}
    }
    [root@ve10:Active] config  b rule myrule list
    rule myrule {
       when HTTP_RESPONSE {
       set ck [HTTP::header values "Set-Cookie"]
       HTTP::header remove "Set-Cookie"
    
       foreach acookie $ck {
          if {$acookie starts_with "BBB"} {
             HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
          } else {
             HTTP::header insert "Set-Cookie" "$acookie"
          }
       }
    }
    }
    
     response from server
    
    [root@ve10:Active] config  curl -I http://200.200.200.101
    HTTP/1.1 200 OK
    Date: Wed, 22 Aug 2012 08:04:21 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
    ETag: "4183e4-3e-9c564780"
    Accept-Ranges: bytes
    Content-Length: 62
    Set-Cookie: AAA=1111; path=/
    Set-Cookie: BBB=2222; path=/
    Set-Cookie: CCC=1234; path=/
    Content-Type: text/html; charset=UTF-8
    
     via bigip
    
    [root@ve10:Active] config  curl -I http://172.28.19.79
    HTTP/1.1 200 OK
    Date: Wed, 22 Aug 2012 08:04:28 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
    ETag: "4183e4-3e-9c564780"
    Accept-Ranges: bytes
    Content-Length: 62
    Content-Type: text/html; charset=UTF-8
    Set-Cookie: AAA=1111; path=/
    Set-Cookie: BBB=2222; path=/; HttpOnly
    Set-Cookie: CCC=1234; path=/
    
    
  • e.g.

    [root@ve10:Active] config  b virtual bar list
    virtual bar {
       snat automap
       pool foo
       destination 172.28.19.79:80
       ip protocol 6
       rules myrule
       profiles {
          http {}
          tcp {}
       }
    }
    [root@ve10:Active] config  b pool foo list
    pool foo {
       members 200.200.200.101:80 {}
    }
    [root@ve10:Active] config  b rule myrule list
    rule myrule {
       when HTTP_RESPONSE {
       set ck [HTTP::header values "Set-Cookie"]
       HTTP::header remove "Set-Cookie"
    
       foreach acookie $ck {
          if {$acookie starts_with "BBB"} {
             HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
          } else {
             HTTP::header insert "Set-Cookie" "$acookie"
          }
       }
    }
    }
    
     response from server
    
    [root@ve10:Active] config  curl -I http://200.200.200.101
    HTTP/1.1 200 OK
    Date: Wed, 22 Aug 2012 08:04:21 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
    ETag: "4183e4-3e-9c564780"
    Accept-Ranges: bytes
    Content-Length: 62
    Set-Cookie: AAA=1111; path=/
    Set-Cookie: BBB=2222; path=/
    Set-Cookie: CCC=1234; path=/
    Content-Type: text/html; charset=UTF-8
    
     via bigip
    
    [root@ve10:Active] config  curl -I http://172.28.19.79
    HTTP/1.1 200 OK
    Date: Wed, 22 Aug 2012 08:04:28 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
    ETag: "4183e4-3e-9c564780"
    Accept-Ranges: bytes
    Content-Length: 62
    Content-Type: text/html; charset=UTF-8
    Set-Cookie: AAA=1111; path=/
    Set-Cookie: BBB=2222; path=/; HttpOnly
    Set-Cookie: CCC=1234; path=/
    
    
  • have you tried this?

     

     

    Setting Cookie "HttpOnly" flag and Expires on Redirect and response (George's reply)

     

    https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/50/aft/2159060/showtab/groupforums/Default.aspx
  • hello,Nitass

     

    I don't want to change the cookie value or cookie domain or expire date

     

    only need to add HTTPOnly in some special cookie
  • when saying HTTP::response, what do you mean? do you craft http response yourself e.g. HTTP::respond command?

     

     

    or do you mean HTTP_RESPONSE event?
  • yes,HTTP_RESPONSE event

     

     

    I have cookie which is created by server,but HTTPONLY is not set

     

    I only need bigip to set HTTPOnly in some special cookie
  • e.g.

    [root@ve10:Active] config  b virtual bar list
    virtual bar {
       snat automap
       pool foo
       destination 172.28.19.79:80
       ip protocol 6
       rules myrule
       profiles {
          http {}
          tcp {}
       }
    }
    [root@ve10:Active] config  b pool foo list
    pool foo {
       members 200.200.200.101:80 {}
    }
    [root@ve10:Active] config  b rule myrule list
    rule myrule {
       when HTTP_RESPONSE {
       set ck [HTTP::header values "Set-Cookie"]
       HTTP::header remove "Set-Cookie"
    
       foreach acookie $ck {
          if {$acookie starts_with "BBB"} {
             HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
          } else {
             HTTP::header insert "Set-Cookie" "$acookie"
          }
       }
    }
    }
    
     response from server
    
    [root@ve10:Active] config  curl -I http://200.200.200.101
    HTTP/1.1 200 OK
    Date: Wed, 22 Aug 2012 08:04:21 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
    ETag: "4183e4-3e-9c564780"
    Accept-Ranges: bytes
    Content-Length: 62
    Set-Cookie: AAA=1111; path=/
    Set-Cookie: BBB=2222; path=/
    Set-Cookie: CCC=1234; path=/
    Content-Type: text/html; charset=UTF-8
    
     via bigip
    
    [root@ve10:Active] config  curl -I http://172.28.19.79
    HTTP/1.1 200 OK
    Date: Wed, 22 Aug 2012 08:04:28 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
    ETag: "4183e4-3e-9c564780"
    Accept-Ranges: bytes
    Content-Length: 62
    Content-Type: text/html; charset=UTF-8
    Set-Cookie: AAA=1111; path=/
    Set-Cookie: BBB=2222; path=/; HttpOnly
    Set-Cookie: CCC=1234; path=/
    
    
  • hello,Nitass

     

    you are the man!

     

     

    however there is another difficult issue need to work around

     

     

    currently there is a irule used to set secure flag of some cookie,

     

    WEHN HTTP_RESPONSE {

     

    if cookie is xyz

     

    [HTTP::cookie ] secure xyz enable

     

    else {

     

    [HTTP::cookie] secure xyz disable

     

    }

     

     

    it sems it is difficult to merge them because when insert cookie we need to know whether to consider the secure flag in else syntax

     

    }
  • e.g.

    [root@ve10:Active] config  b rule myrule list
    rule myrule {
       when HTTP_RESPONSE {
       set ck [HTTP::header values "Set-Cookie"]
       HTTP::header remove "Set-Cookie"
    
       foreach acookie $ck {
          if {$acookie starts_with "BBB"} {
             HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
          } else {
             HTTP::header insert "Set-Cookie" "$acookie"
          }
       }
    
       HTTP::cookie secure "BBB" enable
       HTTP::cookie secure "CCC" enable
       HTTP::cookie secure "XYZ" enable
    }
    }
    
    [root@ve10:Active] config  curl -I http://172.28.19.79
    HTTP/1.1 200 OK
    Date: Wed, 22 Aug 2012 10:01:00 GMT
    Server: Apache/2.2.3 (CentOS)
    Last-Modified: Fri, 11 Nov 2011 14:48:14 GMT
    ETag: "4183e4-3e-9c564780"
    Accept-Ranges: bytes
    Content-Length: 62
    Content-Type: text/html; charset=UTF-8
    Set-Cookie: AAA=1111; path=/
    Set-Cookie: BBB=2222;secure; path=/; HttpOnly
    Set-Cookie: CCC=1234;secure; path=/
    
    
  • hmm,I see

     

    1:we set the httponly firstly

     

    2:then mainpulate the secure flag,

     

     

    step 1 doesn't conflict with step 2