Forum Discussion

Jos__233__Manue's avatar
Jos__233__Manue
Icon for Nimbostratus rankNimbostratus
Sep 29, 2011

HTTP::cookie httponly enable doesn't seem to do anything

On LTM v10.2 setting "HTTP::cookie httponly enable" has no effect.

 

 

On the wiki, it says this is for v11 only, but it seems to be recognized. Also, there's no more information about this command on the wiki http://devcentral.f5.com/wiki/iRules.HTTP__cookie.ashx

 

 

 

This is an application that can be accessed through two different URLs and I want to set the path and add secure an httponly attributes.

 

 

 

The iRule is hte following:

 

 

 

when CLIENT_ACCEPTED {

 

set add_persist 1

 

set cookie_path "/"

 

}

 

 

 

when HTTP_REQUEST {

 

 

 

if { [HTTP::cookie exists "JSESSIONID"] } {

 

persist uie [HTTP::cookie "JSESSIONID"]

 

} else {

 

set jsess [findstr [HTTP::uri] "jsessionid" 11 ";"]

 

if { $jsess != "" } {

 

persist uie $jsess

 

}

 

}

 

switch -glob [HTTP::path] {

 

"/url1*" {

 

set cookie_path "/url1"

 

}

 

"/url2*" {

 

set cookie_path "/url2"

 

}

 

}

 

}

 

 

 

when HTTP_RESPONSE {

 

if { [HTTP::cookie exists "JSESSIONID"] and $add_persist } {

 

HTTP::cookie path "JSESSIONID" $cookie_path

 

HTTP::cookie secure "JSESSIONID" enable

 

HTTP::cookie httponly enable

 

persist add uie [HTTP::cookie "JSESSIONID"]

 

set add_persist 0

 

}

 

 

}

 

 

 

The Set-Cookie does not add httponly, just secure and path.

 

 

 

Any ideas on how to enable httponly this way? Or should I generate the Set-Cookie header directly?

 

application delivery
dev
devops
iRules

1 Reply

Sort By
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Sep 30, 2011
    Hi Jose,

     

     

    The httponly option was added in v11 and shouldn't work in past versions. You'd need to modify the Set-Cookie header to append it in pre-v11.

     

     

    Aaron