Forum Discussion

jba3126's avatar
Icon for Cirrus rankCirrus
Sep 16, 2014

Set Secure and HttpOnly attributes on all Cookies with validation on v10.2.4

I'm on my third round of testing various iRules on DevCentral that would set the secure and httponly attributes. Trying to get an iRule to: 1. Check to see if the HttpOnly atribute is set on all cookies 2. If not, set the HttpOnly and Secure attributes.


iRules I'm working with on the next round of testing: when HTTP_RESPONSE { set ck [HTTP::header values "Set-Cookie"] HTTP::header remove "Set-Cookie" foreach acookie $ck { if {![$acookie contains "HttpOnly"]}{ HTTP::header insert "Set-Cookie" "${acookie}; Secure; HttpOnly" } else { HTTP::header insert "Set-Cookie" "${acookie}; Secure" } } }


Cookies observed in Fiddler traces at various points (Default i.e. No iRule): 1. First Cookie: Set-Cookie: ASP.NET_SessionId=qub2sxy2hvk155fx1bh3j3ab; path=/; HttpOnly Note: I believe this cookie is being set by the Web tier instance of ASP.NET


  1. Second Cookie: Set-Cookie: DBAuth=EFA95F4186FE337A41E80408320FE488F4900985459FBECBF6C06C749C76B8162577371E82BD8B34B13C1B972690A72F9025ED09C74D5BF274CF03E1DAA5B8FAA78914B512FC2ADE50F079C8FF1F2AE7; path=/ Note: I believe this cookie is being set by the App Tier instance of ASP.NET


  2. Third Cookie: DBAuthtsy=EFA95F4186FE337A41E80408320FE488F4900985459FBECBF6C06C749C76B8162577371E82BD8B34B13C1B972690A72F9025ED09C74D5BF274CF03E1DAA5B8FAA78914B512FC2ADE50F079C8FF1F2AE7; path=/


    Note: I believe this cookie is also being set by the App Tier instance of ASP.NET. This cookie is observed being sent with the Second Cookie. Also the first portion of the cookie, DBAuth stays consistent; however the characters after will vary from site to site, example DBAuthtsy, DBAuthrsy.


No RepliesBe the first to reply