Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Force Secure cookie

headcloudmonkey
Not applicable
‎09-15-2016 04:13:AM
‎09-15-2016 04:13:AM

Force Secure cookie

I have a backend IIS pool that uses port 80, behind a virtual server that decrypts the SSL. I want to ensure that the cookies the web site returns have the 'secure' flag set on them. What can I use in a response rule to enfore this? I've asked our developers to force it on their applications, but it's a long way down their task list and I'd find it easier to enforce this globally on the vTM with a rule.

 

Thanks in advance,

Dan

0 Kudos
2 REPLIES 2
Baptiste Assmann
Occasional Contributor
‎09-16-2016 04:27:AM
‎09-16-2016 04:27:AM

Re: Force Secure cookie

Hi Dan,

 

You can do this through a Response Rule:

 

$setcookie = http.getResponseHeader( "Set-Cookie" );

if (! string.contains($setcookie, "Secure")) {
  $setcookie = $setcookie . "; Secure";
  http.setResponseHeader("Set-Cookie", $setcookie);
}

​

 

Baptiste

0 Kudos
antoonh
Occasional Contributor
‎09-19-2016 05:24:AM
‎09-19-2016 05:24:AM

Re: Force Secure cookie

An alternative (straightforward) approach would be to set the "cookie!secure" flag on the "protocol settings" page of the virtual server to "set the secure flag".

cookie settings for http virtual servers

 

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.