Forum Discussion

jba3126's avatar
jba3126
Icon for Cirrus rankCirrus
Oct 03, 2022

Cookies with Duplicate Names, but different values not getting Secure and HttpOnly attributes set

We had an ASV scan come back with one of our applications not setting the Secure and HttpOnly attributes.  When they set at the application layer it seems to break their SSO functionality.  We are digging into that, but in the meantime, we are using the following iRule to add Secure and HttpOnly attributes.  It works; however I noticed that the application has two cookies they are sending with identical names, but different values.  For one reason or another, the first cookie with the same name gets the attributes and the second is ignored.  We are exploring if the application team needs these and if not we can remove them; however, until then I'm trying to see if anyone else has had this issue or thoughts on a solution.

https://support.f5.com/csp/article/K84048752

 

when HTTP_RESPONSE {
    foreach mycookie [HTTP::cookie names] {
        set ck_value  [HTTP::cookie value $mycookie]
        set ck_path [HTTP::cookie path $mycookie]
        HTTP::cookie remove $mycookie
        HTTP::cookie insert name $mycookie value $ck_value path $ck_path version 1
        HTTP::cookie secure $mycookie enable
        HTTP::cookie httponly $mycookie enable
   }
}

 

 /jeff

application delivery
cookies
httponly
iRules
secure
security

1 Reply

Sort By
  • JoshBecigneul's avatar
    JoshBecigneul
    Icon for MVP rankMVP
    Oct 04, 2022

    Hi jba3126 

    I have a few thoughts on this. You might try to debug the contents of the [HTTP::cookie names] function by feeding its output into the log command, and observe the returned names.

    I did spot an older forum post which parses the HTTP headers directly instead of using the HTTP::cookie function: https://community.f5.com/t5/technical-forum/http-cookie-how-can-i-handle-cookies-with-duplicate-names-but/m-p/271656 I repasted it with cleaned up formatting here. Modify the logic to match on whichever cookie names you need to modify.

    when HTTP_RESPONSE {
    set CookieCounter 0
    foreach SetCookieHeader [HTTP::header values Set-Cookie] {
        incr CookieCounter
        log local0. "Saving Set-Cookie header value in array, index number = $CookieCounter, Value = $SetCookieHeader" 
        set CookieArray("$CookieCounter") "$SetCookieHeader"
    } 
    HTTP::header remove "Set-Cookie" 
    log local0. "Removing Set-Cookie HTTP headers" 
    foreach {Index Cookie} [array get CookieArray] { 
        if { $Cookie contains "iPlanetDirectoryPro" } { 
            HTTP::header insert "$Cookie; HttpOnly" 
            log local0. "Inserting cookie - $Cookie; HttpOnly" 
        } else { 
            HTTP::header insert "$Cookie" log local0. "Inserting cookie - $Cookie" 
        }
    }
}

    The second item regarding the failing SSO, this may be related to the use of client-side Javascript that may help trigger the logon process. You might try setting each attribute separately to narrow it down, and also check with the application vendor if possible for configuration best practices.