Forum Discussion

  • To set the secure flag, you can use this code snippet :

     

    when HTTP_RESPONSE {
        foreach mycookie [HTTP::cookie names] {
        HTTP::cookie secure $mycookie enable
       }
    }
  • Hi,

    In general, I prefer to have a VS layered VS architecture.

    You apply the following irule to the Frontend VS :

    when CLIENT_ACCEPTED {
        virtual virtual_server_name
    }
    

    Then, on the same irule, you can change the domain of desired cookies :

    when HTTP_RESPONSE { 
        foreach mycookie [HTTP::cookie names] { 
                HTTP::cookie domain $mycookie ".testtest.com"
        } 
    }
    

    You may also need to restrict to certain cookies only :

    when HTTP_RESPONSE { 
        foreach mycookie [HTTP::cookie names] {
            if { [class match $mycookie REWRITABLE_COOKIES] } {
                HTTP::cookie domain $mycookie ".testtest.com"
            }
        } 
    }
    

    Where REWRITABLE_COOKIES is a datagroup of type string.

    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      You can validate that Secure and httpOnly by doing requests and inspecting response for Set-Cookie header containing header names used for lb persistence, asm, apm,...
    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      Yes, define a frontend VS and assign this irule. "virtual_server_name" must be replaced by your internal VS name (today your actual existing VS)
    • jerm1020_254086's avatar
      jerm1020_254086
      Icon for Nimbostratus rankNimbostratus
      ahh, so not to sound like a moron, just replace "virtual_server_name" with my actual VS name? I'm very new to irules and kind of thrown into this so I apologize. also Also, I thought that through previous audits that our LTM and ASM cookies were marked as secure and http-only with the obviously exception of the TS cookies. Is their a way to validate this? or a place to find it? I'm going crazy over here with all these F5 requests for a newbie
  • Hi,

    In general, I prefer to have a VS layered VS architecture.

    You apply the following irule to the Frontend VS :

    when CLIENT_ACCEPTED {
        virtual virtual_server_name
    }
    

    Then, on the same irule, you can change the domain of desired cookies :

    when HTTP_RESPONSE { 
        foreach mycookie [HTTP::cookie names] { 
                HTTP::cookie domain $mycookie ".testtest.com"
        } 
    }
    

    You may also need to restrict to certain cookies only :

    when HTTP_RESPONSE { 
        foreach mycookie [HTTP::cookie names] {
            if { [class match $mycookie REWRITABLE_COOKIES] } {
                HTTP::cookie domain $mycookie ".testtest.com"
            }
        } 
    }
    

    Where REWRITABLE_COOKIES is a datagroup of type string.

    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      You can validate that Secure and httpOnly by doing requests and inspecting response for Set-Cookie header containing header names used for lb persistence, asm, apm,...
    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      Yes, define a frontend VS and assign this irule. "virtual_server_name" must be replaced by your internal VS name (today your actual existing VS)
    • jerm1020_254086's avatar
      jerm1020_254086
      Icon for Nimbostratus rankNimbostratus
      ahh, so not to sound like a moron, just replace "virtual_server_name" with my actual VS name? I'm very new to irules and kind of thrown into this so I apologize. also Also, I thought that through previous audits that our LTM and ASM cookies were marked as secure and http-only with the obviously exception of the TS cookies. Is their a way to validate this? or a place to find it? I'm going crazy over here with all these F5 requests for a newbie