cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Adding http only / secure flags to TS cookies per policy

Dave_Pisarek
Altocumulus
Altocumulus

Since it is a global change to add flags to the TS or ASM cookie, I am guessing if you need to add it to a specific policy and not global would involve an irule.

 

Below is a rule that seems would work but is not for me and I am out of ideas.

 

The flow is using two vips as we need to limit the number of public ip addresses being used.

 

public_ip_vip_443 redirected to public_ip_vip_8443. 443 has the client side cert and 8443 has serverside with ASM policy on 8443 vip. This works just fine. Automap as well.

 

So on the 8443 vip I want to insert the flags for the TS* cookies. Any ideas why the cookies are not being flagged?

 

when CLIENT_ACCEPTED {

    set is_ssl [PROFILE::exists serverssl]

}

when HTTP_RESPONSE {

    set cookie_list [HTTP::header values "Set-Cookie"]

    HTTP::header remove "Set-Cookie"

    if { $is_ssl } then {

        foreach cookie $cookie_list {

            switch -glob -- [string tolower $cookie] {

                "TS*" {

                }

                "*;*secure*httponly*" - "*;*httponly*secure*" {

                }

                "*;*httponly*" {

                    set cookie "[string trimright $cookie "; "]; Secure"

                }

                "*;*secure*" {

                    set cookie "[string trimright $cookie "; "]; HttpOnly"

                }

                default {

                    set cookie "[string trimright $cookie "; "]; Secure; HttpOnly"

                }

            }

            HTTP::header insert "Set-Cookie" $cookie

        }

    } else {

        foreach cookie $cookie_list {

            switch -glob -- [string tolower $cookie] {

                "TS*" {

                }

                "*;*httponly*" {

                }

                default {

                    set cookie "[string trimright $cookie "; "]; HttpOnly"

                }

            }

            HTTP::header insert "Set-Cookie" $cookie

        }

    }

}

 

 

1 ACCEPTED SOLUTION

SanjayP
MVP
MVP

Hi Dave, it appears you are using iRule from the discussion. It was used to add those attributes to all cookies and skip for some selective cookies which were selected in switch statement.

 

If you want to add secure/httponly attributes only for ASM TS cookies but keep other session/application cookies unchanged, you can try using the below simpler version of iRule. This can be applied to 8443 ASM VIP. This should work on any version above 11.x

 

Reference: https://support.f5.com/csp/article/K11324

when HTTP_RESPONSE_RELEASE { foreach cookielist [HTTP::cookie names] { switch -glob [string tolower $cookielist] { "ts*" { HTTP::cookie secure $cookielist enable HTTP::cookie httponly $cookielist enable } default return } } }

 

 

 

 

View solution in original post

3 REPLIES 3

SanjayP
MVP
MVP

HTTP_RESPONSE event is fired before request is sent to ASM. So you want to try to modify it with " HTTP_RESPONSE_RELEASE" event. For more details, please check the below article.

 

https://support.f5.com/csp/article/K14211

 

 

Dave_Pisarek
Altocumulus
Altocumulus

Thanks Sanjay. The irule is now some what working, it is putting the http only flag but not applying the secure.

 

when CLIENT_ACCEPTED {

  set is_ssl [PROFILE::exists serverssl]

}

when HTTP_RESPONSE_RELEASE {

  set cookie_list [HTTP::header values "Set-Cookie"]

  HTTP::header remove "Set-Cookie"

  if { $is_ssl } then {

    foreach cookie $cookie_list {

      switch -glob -- [string tolower $cookie] {

        "TS*" {

        }

        "*;*secure*httponly*" - "*;*httponly*secure*" {

        }

        "*;*httponly*" {

          set cookie "[string trimright $cookie "; "]; Secure"

        }

        "*;*secure*" {

          set cookie "[string trimright $cookie "; "]; HttpOnly"

        }

        default {

          set cookie "[string trimright $cookie "; "]; Secure; HttpOnly"

        }

      }

      HTTP::header insert "Set-Cookie" $cookie

    }

  } else {

    foreach cookie $cookie_list {

      switch -glob -- [string tolower $cookie] {

        "TS*" {

        }

        "*;*httponly*" {

        }

        default {

          set cookie "[string trimright $cookie "; "]; HttpOnly"

        }

      }

      HTTP::header insert "Set-Cookie" $cookie

    }

  }

}

SanjayP
MVP
MVP

Hi Dave, it appears you are using iRule from the discussion. It was used to add those attributes to all cookies and skip for some selective cookies which were selected in switch statement.

 

If you want to add secure/httponly attributes only for ASM TS cookies but keep other session/application cookies unchanged, you can try using the below simpler version of iRule. This can be applied to 8443 ASM VIP. This should work on any version above 11.x

 

Reference: https://support.f5.com/csp/article/K11324

when HTTP_RESPONSE_RELEASE { foreach cookielist [HTTP::cookie names] { switch -glob [string tolower $cookielist] { "ts*" { HTTP::cookie secure $cookielist enable HTTP::cookie httponly $cookielist enable } default return } } }