Hoolio...I checked out the link and it seems to be doing more than what I'm looking to do, so I attempted to strip it down a bit.. I came up with the following code, which seem to work ok, it came up as a vaild iRule
when HTTP_RESPONSE {
set ck [HTTP::header values "Set-Cookie"]
HTTP::header remove "Set-Cookie"
foreach acookie $ck {
HTTP::header insert "Set-Cookie" "${acookie}; HttpOnly"
}
}
[\code]
I didn't do the Curl command before running this so to double check it was applying I ran it afterwards and was given this:
[root@LTM1:Active] config curl -I http://test.domain.com
HTTP/1.1 200 OK
Date: Fri, 02 Nov 2012 14:14:26 GMT
Server: Microsoft-IIS/6.0
Cache-Control: post-check=3600,pre-check=43200
X-Powered-By: ASP.NET
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 14971
Set-Cookie: ASP.NET_SessionId=qrjevsr5lk14uw45b1d4ghql; path=/; HttpOnly; HttpOnly
Since it's showing it twice indicates, at least to me, that the HTTPOnly is already being applied. So I did a curl on another site that the irule wasn't being applied to but was listed in security scan results as a site that didn't have the HTTPOnly.. The results are below..
[root@LTM1:Active] config curl -I http://domain.com
HTTP/1.1 200 OK
Date: Fri, 02 Nov 2012 14:22:29 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=m3u2q2rppvieexfm3o4mlwz4; path=/; HttpOnly
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 18883
Based on what I'm seeing this is may be a false Positive, right?
Thanks,
Bob