Forum Discussion

Jon_Gilyeat_149's avatar
Jon_Gilyeat_149
Icon for Nimbostratus rankNimbostratus
Jul 24, 2014

HTTP::cookie and setting flags

I'm struggling with writing some irule logic which sets the httponly and secure flags on only the bigipserver cookies inserted by the F5 when using cookie session persistence, while not affecting any server or application inserted cookies. So far, I've had to resolve myself to creating a different irule for each VIP for which I need to perform this action, and specifying the bigip server cookie for that VIP, eg:

when HTTP_RESPONSE {
  if { [HTTP::cookie BIGipServerFoo] ne "" } {
    set ck_value [HTTP::cookie value BIGipServerFoo]
    set ck_path [HTTP::cookie path BIGipServerFoo]
    HTTP::cookie remove BIGipServerFoo
    HTTP::cookie insert name BIGipServerFoo value $ck_value path $ck_path version 1
    HTTP::cookie httponly BIGipServerFoo enable
    HTTP::cookie secure BIGipServerFoo enable
  }
  }

BigIP server cookie flags are set appropriately, application cookies are left alone, everyone is happy, apps don't break. Surely there must be some way to do this without manually picking out the cookies I want changed.

application delivery
design
devops
iRules
LTM
security

3 Replies

Sort By
  • Jon_Gilyeat_149's avatar
    Jon_Gilyeat_149
    Icon for Nimbostratus rankNimbostratus
    Jul 24, 2014

    Tried this and it doesn't really work either:

    when HTTP_RESPONSE {
  if { [HTTP::cookie starts_with "BIGipServer"] } {
     set ck_names [HTTP::cookie names]
     foreach aCookie $ck_names {
     HTTP::cookie remove $aCookie
     HTTP::cookie insert name $aCookie value $aCookie path / version 1
     HTTP::cookie httponly $aCookie enable
  }
}
  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    Jul 24, 2014
     when HTTP_RESPONSE {
     set ck_names [HTTP::cookie names]
     foreach ck_name $ck_names {
        if { [string tolower $ck_name] starts_with "bigipserver" } {
            set ck_value [HTTP::cookie value $ck_name]
            set ck_path [HTTP::cookie path $ck_name] 

            HTTP::cookie remove $ck_name
            HTTP::cookie insert name $ck_name value $ck_value path $ck_path version 1
            HTTP::cookie httponly $ck_name enable
        } 
    }
}
  • Jon_43169's avatar
    Jon_43169
    Icon for Nimbostratus rankNimbostratus
    Jul 24, 2014

    We have an ASM module, but we've not deployed it yet.

    After spending some time beating on it a bit more, I've managed to sort it out:

    when HTTP_RESPONSE {
   set ck [HTTP::header values "Set-Cookie"]
   foreach acookie $ck {
      if {$acookie starts_with "BIGipServer"} {
         HTTP::header replace "Set-Cookie" "${acookie}; HttpOnly"
      }
   }
}