NimbostratusQuestion on setting ASM cookie attributes "Secure" "HTTPOnly"
I have followed the steps in the article: SOL13787: Configuring the 'secure' and 'HttpOnly' attributes for BIG-IP ASM cookies. https://support.f5.com/kb/en-us/solutions/public/13000/700/sol13787.html
When I am testing to make sure that the ASM cookies contain these attributes, I get mixed results. Sometimes the cookie contains the flags and sometime the cookie does NOT.
For example when I am viewing the headers/cookies on the http response my first attempt shows NO flags.
HTTP/?.? 200 OK Date: Tue, 22 Mar 2016 15:06:21 GMT Last-Modified: Mon, 21 Mar 2016 16:47:02 GMT Etag: "5807c0-c60d-52e91d89b2686" Accept-Ranges: bytes Content-Length: 50701 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: TS01d1bdbc=01999b702344514c65c6ee86723db44c429e71aaf68a4c1b4289513367f0036995c4e212fa; Path=/
I then wait a bit, clear all cookies and content and try it again. This time I DO get the correct flags.
HTTP/?.? 200 OK Date: Tue, 22 Mar 2016 15:23:30 GMT Last-Modified: Mon, 21 Mar 2016 16:48:03 GMT Etag: "540a57-c60d-52e91dc375f89" Accept-Ranges: bytes Content-Length: 50701 Connection: close Content-Type: text/html; charset=UTF-8 Set-Cookie: TS01d1bdbc=01999b7023e21db6b479cf33230c83d66e8734b4f54314b360bb74c458686a6bc00b4e0ff9; Path=/; Secure; HTTPOnly
I have verified that the flags are set by following the steps in this thread: https://devcentral.f5.com/questions/sol13787-configuring-the-secure-and-httponly-attributes-for-big-ip-asm-cookies
Can anyone give me ideas as to why these attributes are not showing every time this cookie is getting set?
Thanks!!
