Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Clear all filters
Answers

Doubt to append cookie in header

Hi there,

I was wondering if you guys could help me with some doubts

I'm having with the creation of some iRules to protect some vulnerabilities

In this particular case I need to add the HttpOnly and Secure flags in a session cookie, so I created this iRule:

 foreach cookie [HTTP::cookie names] {
set value [HTTP::cookie value $cookie];
if { "" != $value } {
set testvalue [string tolower $value]
set valuelen [string length $value]
log local0. "Cookie found: $cookie = $value";
switch -glob $testvalue {
"*;secure*" -
"*; secure*" { }
default { set value "$value; Secure"; }
}
switch -glob $testvalue {
"*;httponly*" -
"*; httponly*" { }
default { set value "$value; HttpOnly"; }
}
}
if { [string length $value] > $valuelen} {
#log local0. "Replacing cookie $cookie with $value"
HTTP::cookie value $cookie "${value}"
}
}

Is that the best way to avoid this vulnerability ? Would you guys have any other suggestions to improve this code? Is it there another way to mitigate this vulnerability ?

Best Regards

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I think you could use HTTP::cookie, you can set the httponly and secure flags on each of the cookies manually if you want. And you'd want to do that on the HTTP_RESPONSE event.

when HTTP_RESPONSE {
    foreach cookie [HTTP::cookie names] {
        HTTP::cookie secure $cookie enable
        HTTP::cookie httponly $cookie enable
    }
}
0