Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

How to add Httponly and Secure attributes to HTTP cookies (for 11.5.x)

Problem this snippet solves:

Problem this snippet solves:

The script adds Httponly and Secure attributes to cookies issued by the server.

In v12.x software there is a better way to achieve the same outcome with using HTTP::cookie commands (even though adding Httponly requires additional tweaks because of the issue with cookie version field see discussion here). However, in v11.5 and earlier releases HTTP::cookie commands do not work as expected (in particular, upper case chracters cookie attributes e.g. "Expire" and "GMT" are parsed with errors, as discussed in 19-Oct-2013 post by DanW here). Furthermore, in these software versions F5 Persistent Cookies do not have "Httponly" attributes and adding them using HTTP::cookie command appears to be impossible (as "HTTP::cookie version" command cannot be used for F5-generated cookies).

Note: the HTTP::cookie commands repairs non-RFC-compliant attributes "httponly=<any text>" and "secure=<any text>" by replacing them with "Httponly" and "Secure" respectively. The script below does not perform such replacements and leaves these non-RFC-compliant attributes unmodified (without adding duplicates of the attributes). We consider fixing non-RFC-compliant syntax to be out of the scope. Browsers we tested ignored the <any text> values (in "httponly=<any text>" and "secure=<any text>" attributes).

How to use this snippet:

How to use this snippet:

The same instance of this iRule can be applied to a mixture of HTTP or HTTPS Virtual Servers and will automatically disable insertion of “Secure” attribute for the HTTP VSs.

Tested on Versions: 11.5.2 HF1; 11.5.4 HF2; 12.1.1 HF1

Comments on this Snippet
Comment made 15-Dec-2016 by Eswar HCL 0

I am running BIG Version 11.6.1 without any hotfix, I am trying to apply these with above mentioned IRule but I do not see any secure cookies or httponly in response header ( Using Fiddler )

Please suggest me or help me how to fix it this. Thanks for your help !!!

Regards, Eswar

0
Comment made 15-Dec-2016 by Eswar HCL 0

I am running BIG Version 11.6.1 without any hotfix, I am trying to apply these with above mentioned IRule but I do not see any secure cookies or httponly in response header ( Using Fiddler )

Please suggest me or help me how to fix it this. Thanks for your help !!!

Regards, Eswar

0
Comment made 15-Dec-2016 by VadimT 2

Hi Eswar, It is possible that your browser still uses old cookies, so the server does not need to send updated ones. I would start with removing all cookies for the VS/FQDN in question from your browser cache. Then I would access the VS via browser and after that I would check the list of (updated) cookies to see whether the "httponly" (and "secure" for HTTPS) attributes are there. Fiddler can be used for this second step, but you still would need to start with clearing the cookies. Please let me know how it went. I have not tested the iRule with 11.6.x software, but it should work.

0
Comment made 15-Dec-2016 by VadimT 2

Sorry... I forgot to add. In Chrome to clear individual cookies and then check their content you would need to got to: Settings (advanced) -> Privacy -> Content Settings -> All cookies and site data

0
Comment made 19-Dec-2016 by Eswar HCL 0

when HTTP_RESPONSE { set setckval [HTTP::header values "Set-Cookie"] HTTP::header remove "Set-Cookie" foreach cookie1 $setckval { set cookie1 [string trimright [string trimright $cookie1] ";"] set list1 [lrange [split $cookie1 ";"] 1 end] set hasHttpOnly false if { $httpsVs } { set hasSecure false } else { set hasSecure true } foreach item1 $list1 { set titem1 [string tolower [string trim $item1]] if { ($titem1 eq "httponly") or ($titem1 starts_with "httponly=") } { set hasHttpOnly true } if { ($titem1 eq "secure") or ($titem1 starts_with "secure=")} { set hasSecure true } } if { not $hasHttpOnly } { set cookie1 "${cookie1}; Httponly" } if { not $hasSecure } { set cookie1 "${cookie1}; Secure" } HTTP::header insert "Set-Cookie" $cookie1 } }

0
Comment made 19-Dec-2016 by Eswar HCL 0

when HTTP_RESPONSE { set setckval [HTTP::header values "Set-Cookie"] HTTP::header remove "Set-Cookie" foreach cookie1 $setckval { set cookie1 [string trimright [string trimright $cookie1] ";"] set list1 [lrange [split $cookie1 ";"] 1 end] set hasHttpOnly false if { $httpsVs } { set hasSecure false } else { set hasSecure true } foreach item1 $list1 { set titem1 [string tolower [string trim $item1]] if { ($titem1 eq "httponly") or ($titem1 starts_with "httponly=") } { set hasHttpOnly true } if { ($titem1 eq "secure") or ($titem1 starts_with "secure=")} { set hasSecure true } } if { not $hasHttpOnly } { set cookie1 "${cookie1}; Httponly" } if { not $hasSecure } { set cookie1 "${cookie1}; Secure" } HTTP::header insert "Set-Cookie" $cookie1 } }

0
Comment made 2 months ago by DattuSa 0

Hi Eshwar , is this working for you ?

0