httponly cookie flag

Question

Hi,&nbsp;
I try to use this Irule but when I enable the httponly option the VS is not working:&nbsp;
when HTTP_RESPONSE {&nbsp;
    HTTP::cookie version  1
    HTTP::cookie secure  enable
    HTTP::cookie domain  
    HTTP::cookie httponly  enable
}&nbsp;
If i use HTTP::header I lose persistency between the nodes in the pool:&nbsp;
when HTTP_RESPONSE {
   set ck [HTTP::header values "Set-Cookie"]
   foreach acookie $ck {
      if {$acookie starts_with ""} {
         HTTP::header replace "Set-Cookie" "${acookie}; HttpOnly; Secure"
      }
   }
}&nbsp;
Any help please?
Thanks&nbsp;

nitass · Answer

If i use HTTP::header I lose persistency between the nodes in the pool:&nbsp;

have you seen cookie in subsequent requests?&nbsp;

david_stout · Answer

I use this iRule. If you are running Version 11 code you can remove the hash in front of the marked line. HTTPOnly is only available in V11. It doesn't affect persistence.&nbsp;when RULE_INIT {

Cookie name prefix
    set static::ck_pattern "BIGipServer*"

Log debug to /var/log/ltm? 1=yes, 0=no)
    set static::ck_debug 0

Cookie encryption passphrase
     Change this to a custom string!
    set static::ck_pass "somesecurepass1234"
}
when HTTP_REQUEST {

if {$static::ck_debug}{log local0. "Request cookie names: [HTTP::cookie names]"}

Check if the cookie names in the request match our string glob pattern
    if {[set cookie_names [lsearch -all -inline [HTTP::cookie names] $static::ck_pattern]] ne ""}{

We have at least one match so loop through the cookie(s) by name
        if {$static::ck_debug}{log local0. "Matching cookie names: [HTTP::cookie names]"}
        foreach cookie_name $cookie_names {

Decrypt the cookie value and check if the decryption failed (null return value)
            if {[HTTP::cookie decrypt $cookie_name $static::ck_pass] eq ""}{

Cookie wasn't encrypted, delete it
                if {$static::ck_debug}{log local0. "Removing cookie as decryption failed for $cookie_name"}
                HTTP::cookie remove $cookie_name
            }
        }
        if {$static::ck_debug}{log local0. "Cookie header(s): [HTTP::header values Cookie]"}
    }
}
when HTTP_RESPONSE {

if {$static::ck_debug}{log local0. "Response cookie names: [HTTP::cookie names]"}

Check if the cookie names in the request match our string glob pattern
    if {[set cookie_names [lsearch -all -inline [HTTP::cookie names] $static::ck_pattern]] ne ""}{

We have at least one match so loop through the cookie(s) by name
        if {$static::ck_debug}{log local0. "Matching cookie names: [HTTP::cookie names]"}
        foreach cookie_name $cookie_names {

Encrypt the cookie value
            HTTP::cookie encrypt $cookie_name $static::ck_pass
                        HTTP::cookie secure $cookie_name enable
 added in V11 code     HTTP::cookie httponly $cookie enable
        }
        if {$static::ck_debug}{log local0. "Set-Cookie header(s): [HTTP::header values Set-Cookie]"}
    }
}

Forum Discussion

httponly cookie flag

2 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

DevCentral Connects hosts Capture the Flag!

Adding http only / secure flags to TS cookies per policy

Cookie Tampering Protection using F5 Distributed Cloud Platform

Decoding the IPv4 address from the persistence cookie

Cookie-based DDoS protection