Forum Discussion
NimbostratusASM Secure and HttpOnly cookies don't work as expected
I followed SOL13787, but it doesn't seem to work as it should. I set the Secure and HttpOnly flags and restarted ASM. On 12.1.0 HF1.
Under Security > Options > Application Security > Advanced Configuration > System Variables: cookie_httponly_attr is set to 1 and cookie_secure_attr is set to 1.
This is my output:
curl -I https://mail.xxxx/owa/auth/logon.aspx?
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Length: 8780
Content-Type: text/html; charset=utf-8
Expires: -1
Set-Cookie: OutlookSession=0d1a4xxxx; path=/; secure; HttpOnly
X-OWA-Version: 14.3.294.0
X-Powered-By: ASP.NET
Date: Tue, 23 Aug 2016 09:03:11 GMT
Set-Cookie: BIGipServer~xxxx_pl=rdxxxx000000000000000000xxxxx; path=/; Httponly
Strict-Transport-Security: max-age=31536000; includeSubDomains
Set-Cookie: TSxxxxxxxxxxxxxxxx; Path=/; HTTPOnly
Set-Cookie: BIGipServer~xxxx_pl=rdxxxxxxo0000000000000000000xxxxxx; path=/; Httponly; Secure
So it doesn't set the secure flag at all and HTTPOnly is incorrect as it should be HttpOnly according to the RFC (https://datatracker.ietf.org/doc/rfc6265/?include_text=1 chapter 5.2.6). Any ideas, did I miss something? Is this a bug? Or a 12.1.0 issue?
1 Reply
- boneyard
MVP
SOL6850 mentions two cookies and your SOL seems to indicate it only effects the "HTTP ASM Frame and Flow Frame" cookie
https://support.f5.com/kb/en-us/solutions/public/6000/800/sol6850.html
