Forum Discussion

Steve_Knapp's avatar
Steve_Knapp
Icon for Altostratus rankAltostratus
Mar 08, 2016

SOL13787: Configuring the 'secure' and 'HttpOnly' attributes for BIG-IP ASM cookies

The solution article "SOL13787: Configuring the 'secure' and 'HttpOnly' attributes for BIG-IP ASM cookies" gives instructions for enabling/disabling the secure and HttpOnly ASM cookie attributes. ...
ASM Advanced WAF
cookies
security
RobertS1's avatar
RobertS1
Icon for Nimbostratus rankNimbostratus
Aug 23, 2016

Doesn't seem to work as it should here I followed SOL13787. And set the secure and HttpOnly flags and restarted ASM. On 12.1.0 HF1

Under Security > Options > Application Security > Advanced Configuration > System Variables: cookie_httponly_attr is set to 1 and cookie_secure_attr is set to 1.

This is my output:

 curl -I https://mail.xxxx/owa/auth/logon.aspx?
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 8780
Content-Type: text/html; charset=utf-8
Expires: -1
Set-Cookie: OutlookSession=0d1a4xxxx; path=/; secure; HttpOnly
X-OWA-Version: 14.3.294.0
X-Powered-By: ASP.NET
Date: Tue, 23 Aug 2016 09:03:11 GMT
Set-Cookie: BIGipServer~xxxx_pl=rdxxxx000000000000000000xxxxx; path=/; Httponly
Strict-Transport-Security: max-age=31536000; includeSubDomains
Set-Cookie: TSxxxxxxxxxxxxxxxx; Path=/; HTTPOnly
Set-Cookie: BIGipServer~xxxx_pl=rdxxxxxxo0000000000000000000xxxxxx; path=/; Httponly; Secure

So it doesn't set the secure flag at all and HTTPOnly is wrong as it should be HttpOnly of course. Any ideas? Or is this a bug?