Forum Discussion
NimbostratusSetting cookie levels
During a review of www.testtest.com cookies for potential RWD checkout render we noticed that the F5 LTM and ASM cookies seem to be FQDN based (e.g., www.testtest.com) versus Top Level Domain based (e.g., .testtest.com). Is anyone aware of a mechanism to control the cookie level either at the profile, VCMP or appliance level?
10 Replies
Yann_DesmarestCirrus
Here the article to setup secure and httponly flags for asm cookies: https://support.f5.com/kb/en-us/solutions/public/13000/700/sol13787.html?sr=55049482
- Yann_Desmarest
To set the secure flag, you can use this code snippet :
when HTTP_RESPONSE { foreach mycookie [HTTP::cookie names] { HTTP::cookie secure $mycookie enable } } 
Yann_Desmarest_Nacreous
Hi,
In general, I prefer to have a VS layered VS architecture.
You apply the following irule to the Frontend VS :
when CLIENT_ACCEPTED { virtual virtual_server_name }Then, on the same irule, you can change the domain of desired cookies :
when HTTP_RESPONSE { foreach mycookie [HTTP::cookie names] { HTTP::cookie domain $mycookie ".testtest.com" } }You may also need to restrict to certain cookies only :
when HTTP_RESPONSE { foreach mycookie [HTTP::cookie names] { if { [class match $mycookie REWRITABLE_COOKIES] } { HTTP::cookie domain $mycookie ".testtest.com" } } }Where REWRITABLE_COOKIES is a datagroup of type string.
- Yann_Desmarest_You can validate that Secure and httpOnly by doing requests and inspecting response for Set-Cookie header containing header names used for lb persistence, asm, apm,...
- Yann_Desmarest_Yes, define a frontend VS and assign this irule. "virtual_server_name" must be replaced by your internal VS name (today your actual existing VS)
jerm1020_254086ahh, so not to sound like a moron, just replace "virtual_server_name" with my actual VS name? I'm very new to irules and kind of thrown into this so I apologize. also Also, I thought that through previous audits that our LTM and ASM cookies were marked as secure and http-only with the obviously exception of the TS cookies. Is their a way to validate this? or a place to find it? I'm going crazy over here with all these F5 requests for a newbie
- Yann_Desmarest
Hi,
In general, I prefer to have a VS layered VS architecture.
You apply the following irule to the Frontend VS :
when CLIENT_ACCEPTED { virtual virtual_server_name }Then, on the same irule, you can change the domain of desired cookies :
when HTTP_RESPONSE { foreach mycookie [HTTP::cookie names] { HTTP::cookie domain $mycookie ".testtest.com" } }You may also need to restrict to certain cookies only :
when HTTP_RESPONSE { foreach mycookie [HTTP::cookie names] { if { [class match $mycookie REWRITABLE_COOKIES] } { HTTP::cookie domain $mycookie ".testtest.com" } } }Where REWRITABLE_COOKIES is a datagroup of type string.
- Yann_DesmarestYou can validate that Secure and httpOnly by doing requests and inspecting response for Set-Cookie header containing header names used for lb persistence, asm, apm,...
- Yann_DesmarestYes, define a frontend VS and assign this irule. "virtual_server_name" must be replaced by your internal VS name (today your actual existing VS)
- jerm1020_254086ahh, so not to sound like a moron, just replace "virtual_server_name" with my actual VS name? I'm very new to irules and kind of thrown into this so I apologize. also Also, I thought that through previous audits that our LTM and ASM cookies were marked as secure and http-only with the obviously exception of the TS cookies. Is their a way to validate this? or a place to find it? I'm going crazy over here with all these F5 requests for a newbie
