Forum Discussion

Nimbostratus

Dec 29, 2015

httponly and secure cookie attributes in application vs. ASM cookies on v11.4.1

Vulnerability scanners in our environment have flagged applications as needing the httponly and secure attributes set so I started investigating what I needed to do. I discovered the ASM cookie sett...

Employee

Dec 31, 2015

If the cookie doesn't provide sensitive information, or session identity if can be reported as a false positive. Persistence cookies, various state cookies, etc... should not require a secure flag. Further, the typical way of "deleting" cookies is to send a Set-Cookie with the content to 'deleted' and removes the secure flag. We have successfully had these non-sensitive cookies reported as false positives.

For the actual session cookies, PHPSESSION, JSESSION, etc... the back end server should be setting the secure flag. Alternatively, you could alter the cookie as it passes by.

Forum Discussion

httponly and secure cookie attributes in application vs. ASM cookies on v11.4.1

Recent Discussions

What happens if I only enable ASM in BIG-IP Under System > Resource Provisioning

URL

Migration from i series 10200 with 1 child VCMP to r series 10900 series

Azure DP-100 Exam Questions

Deploying F5 WAF in front of Azure Web App Services

Related Content

How to add Httponly and Secure attributes to HTTP cookies (for 11.5.x)

Lightboard Lessons: HTTP Cookie SameSite Attribute

Application Programming Interface (API) Authentication types simplified

Enhance your Application Security using Client-side signals

F5 BIG-IP per application Red Hat OpenShift cluster migrations