Forum Discussion

Nimbostratus

May 22, 2014

HTTP::cookie incorrectly marks a insecure cookie as secure if followed by another secure cookie [10.2.4]

We have a public application that failed a security audit when some cookies did not have the secure flag. We had an irule in place to force all cookies in the response to have the secure flag, but it...

Cirrostratus

May 23, 2014

Based on the information here the HTTP::cookie command isn't too reliable: https://devcentral.f5.com/questions/how-to-properly-insert-httponly-and-secure-cookie-directives.

I'd highly recommend you use something like this (from that article) but you'll need to add a check to see if those attributes already exist;

set unsafe_cookie_headers [HTTP::header values "Set-Cookie"]
HTTP::header remove "Set-Cookie"

foreach set_cookie_header $unsafe_cookie_headers {  
    HTTP::header insert "Set-Cookie" "${set_cookie_header}; Secure; HttpOnly"
}

Forum Discussion

HTTP::cookie incorrectly marks a insecure cookie as secure if followed by another secure cookie [10.2.4]

Recent Discussions

Disk space full - what files, folders are safe to delete?

Converting config to DO

Enterprise Security best practices with F5 WAF

Web acceleration

Content type hearder charset=UTF-8

Related Content

Mitigating OWASP Web Application Risk: Insecure Design using F5 XC platform

iRule to take cookie from HTTP Response into HTTP Request via table

Change cookie domain in HTTP::respond

Lightboard Lessons: HTTP Cookie SameSite Attribute

Lightboard Lessons: OWASP Top 10 - Insecure Deserialization