NimbostratusIs anyone aware of the effects of a Cookie that is marked as Secure-Only in an environment where SSL is terminated by the F5? I assume that the cookie "flows" back to the web server but I would also assume that the web-server may reject the cookie.
Appreciate anyone's experience...
EmployeeI assume that the cookie "flows" back to the web server but I would also assume that the web-server may reject the cookie.
i have never encountered it. based on rfc2965, i feel it is more like advice rather than enforcing.
3.4 How an Origin Server Interprets the Cookie Header
A user agent returns much of the information in the Set-Cookie2
header to the origin server when the request-URI path-matches the
Path attribute of the cookie. When it receives a Cookie header, the
origin server SHOULD treat cookies with NAMEs whose prefix is $
specially, as an attribute for the cookie.
Secure
OPTIONAL. The Secure attribute (with no value) directs the user
agent to use only (unspecified) secure means to contact the origin
server whenever it sends back this cookie, to protect the
confidentially and authenticity of the information in the cookie.
The user agent (possibly with user interaction) MAY determine what
level of security it considers appropriate for "secure" cookies.
The Secure attribute should be considered security advice from the
server to the user agent, indicating that it is in the session's
interest to protect the cookie contents. When it sends a "secure"
cookie back to a server, the user agent SHOULD use no less than
the same level of security as was used when it received the cookie
from the server.
HTTP State Management Mechanism
http://tools.ietf.org/html/rfc2965just my 2 cents.