Forum Discussion
AltostratusSOL13787: Configuring the 'secure' and 'HttpOnly' attributes for BIG-IP ASM cookies
The solution article "SOL13787: Configuring the 'secure' and 'HttpOnly' attributes for BIG-IP ASM cookies" gives instructions for enabling/disabling the secure and HttpOnly ASM cookie attributes.
Does anyone know what the command would be to check and see if these attributes are already set? We have a number of LTM's with ASM but changing them all (I know there are 2 we need to) will cause unwanted disruptions in service due to requirement for ASM restart. I'd like to check before blindly changing them all.
2 Replies
gowenfawrNimbostratus
Once the attributes have been set via the command line, you can view them via the web UI. SOL13291 (unrelated except that it also describes setting with add_del_internal) describes this:
Modifying internal parameters from the Configuration utility
Once you have added these internal parameters from the command line using the previous steps, you may further modify the parameters from the Configuration utility by performing the following steps:
- Log in to the Configuration utility.
- Navigate to the following page:
BIG-IP ASM 11.3.0 and later
Security > Options > Application Security > Advanced Configuration > System Variables
BIG-IP ASM 10.2.2 through 11.2.1
Application Security > Options > Advance Configuration > System Variables
3.. In the Parameter Value box, enter the value you want for any of the three internal parameters that you added while performing the Initial configuration of internal parameters from the command line procedure.
To be clear, the values from SOL13787 won't show up until you've added them at the command line, so this is a method that you can tell whether they've been set at the command line, and you can verify what they've been set to as well.
RobertS1Doesn't seem to work as it should here I followed SOL13787. And set the secure and HttpOnly flags and restarted ASM. On 12.1.0 HF1
Under Security > Options > Application Security > Advanced Configuration > System Variables: cookie_httponly_attr is set to 1 and cookie_secure_attr is set to 1.
This is my output:
curl -I https://mail.xxxx/owa/auth/logon.aspx? HTTP/1.1 200 OK Cache-Control: no-cache, no-store Pragma: no-cache Content-Length: 8780 Content-Type: text/html; charset=utf-8 Expires: -1 Set-Cookie: OutlookSession=0d1a4xxxx; path=/; secure; HttpOnly X-OWA-Version: 14.3.294.0 X-Powered-By: ASP.NET Date: Tue, 23 Aug 2016 09:03:11 GMT Set-Cookie: BIGipServer~xxxx_pl=rdxxxx000000000000000000xxxxx; path=/; Httponly Strict-Transport-Security: max-age=31536000; includeSubDomains Set-Cookie: TSxxxxxxxxxxxxxxxx; Path=/; HTTPOnly Set-Cookie: BIGipServer~xxxx_pl=rdxxxxxxo0000000000000000000xxxxxx; path=/; Httponly; SecureSo it doesn't set the secure flag at all and HTTPOnly is wrong as it should be HttpOnly of course. Any ideas? Or is this a bug?
