F5 LTM irule to mark cookie as secure and httponly and Why

Updated on:

Some Background

When it comes to handling the web application related vulnerabilities. Most of the vulnerabilities could be fixed by having the proper configuration at the F5 level.

By using the right configuration at the F5. like having proper SSL Cipher at the SSL profile of the VIP (or) creating and mapping specific irules to remove (or) modify some of the critical cookies like JSESSIONID (or) BigIpServer and mark them secure and HTTP only or enabling/inserting "Strict Transport Security" headers etc.

this post is just to share the iRule which helps to mark the cookie as secure and httponly

F5 irule to mark cookie as secure and httponly

 

Why should we do it?

As a summary we are giving the reason why should we do it?

Reason for marking them httponly

When you tag a cookie with the HttpOnly flag, it tells the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly forbidden. Thereby,  we make it hard for the attacker to execute the XSS cross site scripting attack.

Reason for  marking them as secure

In general when the site is available through HTTP and HTTPS both. There are chances that the attacker can tamper/hack the authentication related cookies from the HTTP request made by someone to the server and use the same cookies over HTTP/HTTPS to run the exploit (or) even pretend to be the user(victim) to the server and do evil.

If you mark sensitive and confidential cookies like SSO cookies or authentication related cookies with a secure flag, the marked cookies will only be sent over an HTTPS connection. Thereby, we can make it hard for the attacker to hack into your account (like net banking)

 

The iRule to mark the cookies as secure and httponly

when HTTP_RESPONSE {
set Cookies [HTTP::cookie names]

# Loop though cookies
foreach mycookie $Cookies {

if { ( $mycookie starts_with "JSESSIONID" or $mycookie starts_with "BIGipServer" ) } {

# Reinsert cookie with version 1 then mark httponly
if { [HTTP::cookie version $mycookie] != 1 } {
set ckval [HTTP::cookie value $mycookie]
set ckpath [HTTP::cookie path $mycookie]
HTTP::cookie remove $mycookie
HTTP::cookie insert name $mycookie value $ckval path $ckpath version 1
}

# Mark Cookie httponly
HTTP::cookie httponly $mycookie enable

# Mark F5 Cookies as secure
HTTP::cookie secure $mycookie enable 
}
} 
}

 

Some Explanation

We get all the cookies from the response and trying to find the cookies starts with either JSESSIONID and BIGipServer using starts_with module of F5 Big IP iRule and adding a version attribute to them to prevent redoing the same work (or) duplicating the efforts.

Once the version attribute has been added. we mark these cookies as httponly and secure The following lines do that.

# Mark Cookie httponly 
HTTP::cookie httponly $mycookie enable 
# Mark F5 Cookies as secure
 HTTP::cookie secure $mycookie enable

 

How to Verify

The process given below is for chrome.

Hit the Corresponding URL (VIP) in your browser -> open Developer tools -> Go to Networks tab -> Retry the URL -> click on the main page (or) domain name you have requested in the Name column amongst various pages served (css/images etc)

Now, Go to the Cookies tab

you can find the BigIPServer Cookie and make sure that HTTP and Secure attributes are checked.

In chrome, it looks like this.

Note*: we have intentionally covered/hidden some portion of  Name and the Value for security reasons

Cookies marked as httponly and secure

 

Hope this helps.

Leave a ratings if you like [ratings]

Thanks
SaravAK

Follow me on Linkedin My Profile
Follow DevopsJunction onFacebook orTwitter
For more practical videos and tutorials. Subscribe to our channel

Buy Me a Coffee at ko-fi.com

Signup for Exclusive "Subscriber-only" Content

More from Middleware Inventory

  • F5 irule to log TLS version and SSL Handshake Information

    The Overview In this post, we are going to share the irule we have recently designed for one of our requirement. We basically wanted to log when the client is using a weak cipher or deprecated protocols like SSLV3, TLSv1.0 or TLSv1.1 This iRule would help you get an insight on what…

  • F5 - How to List All Virtual Servers with Persistence Profiles

    For F5 BigIP professionals/administrators, it is a tough but indispensable job, to generate reports of virtual servers and their associated resources like iRule, Persistence Profile, Client SSL profile etc. I have already written various scripts to efficiently perform some of these reporting tasks and shared it here. you can find them…

  • F5 Export Pools and their VIP mappings from All Partitions

    The Objective This article is for you if you are looking for a solution for any of these scenarios Export or List All the Pools across All the Partitions Export or List All the Pools and their VIP mapping across all the partitions available Export or List All the Unused…

  • F5-BIG-IP LTM - How to Export Pools and their members as CSV

    If you are looking for a way to export (or) print  F5 Bigip Local Traffic Manager (LTM)  Load Balancer pools and their members in Comma Separated Values (CSV) format. This script is for you Note*: It uses tmsh command line and this has to be executed in the F5 Big-IP Advanced Shell…

  • F5 LTM - Get Client SSL Profiles with their VIP Mapping and CIPHER Configuration - tmsh

    This is for those who are wondering is there a way to get a CSV report with Complete List of Client SSL Profiles and their VIP Mapping and  CIPHER Configuration in F5 LTM using tmsh Prerequisites BigIP LTM 11 and above Administrator Shell Access ( for logging in to terminal ) tmsh utility (…