Irule - How this Secure Cookie Irule works ?

Question

Can some one explain how this SECURE_COOKIE Irule works .

ltm rule SECURE_COOKIE {

when HTTP_RESPONSE_RELEASE {

set unsafe_cookie_headers [HTTP::header values "Set-Cookie"]

HTTP::header remove "Set-Cookie"

foreach set_cookie_header $unsafe_cookie_headers {

HTTP::header insert "Set-Cookie" "${set_cookie_header}; Secure"

}

dario_garrido · Answer

The iRule adds the tag "Secure" to all "Set-Cookie" headers. This is done to avoid clients to use those cookie in case of being in a unsafe communication.

REF - https://en.wikipedia.org/wiki/Secure_cookie

KR,

Dario.

dario_garrido · Answer

The client is not going to use the cookie tagged as "Secure" if the communication is through HTTP (unsecure).

REF - https://en.wikipedia.org/wiki/Secure_cookie

I would appreciate if you rate my answer.

KR,

Dario.

dario_garrido · Answer

when HTTP_RESPONSE_RELEASE {
	# Get all values of Set-Cookie headers
	set unsafe_cookie_headers [HTTP::header values "Set-Cookie"]
	# Remove the current unsafe Set-Cookie header
	HTTP::header remove "Set-Cookie"
	foreach set_cookie_header $unsafe_cookie_headers {
		# Insert a new Set-Cookie header with '&lt;value&gt;; Secure' for each one (to securize)
		HTTP::header insert "Set-Cookie" "${set_cookie_header}; Secure"
	}
}

blue_whale · Answer

Dario thank you , &nbsp;what do you mean by &nbsp;unsafe communication ?

Forum Discussion

Irule - How this Secure Cookie Irule works ?

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

Avoiding Common iRules Security Pitfalls

Increased Security With First Party Cookies

Using ChatGPT for security and introduction of AI security

iRule: Securing Cookies

iRule to take cookie from HTTP Response into HTTP Request via table