I have a backend IIS pool that uses port 80, behind a virtual server that decrypts the SSL. I want to ensure that the cookies the web site returns have the 'secure' flag set on them. What can I use in a response rule to enfore this? I've asked our developers to force it on their applications, but it's a long way down their task list and I'd find it easier to enforce this globally on the vTM with a rule.
Thanks in advance,
Dan
Hi Dan,
You can do this through a Response Rule:
$setcookie = http.getResponseHeader( "Set-Cookie" ); if (! string.contains($setcookie, "Secure")) { $setcookie = $setcookie . "; Secure"; http.setResponseHeader("Set-Cookie", $setcookie); }
Baptiste
An alternative (straightforward) approach would be to set the "cookie!secure" flag on the "protocol settings" page of the virtual server to "set the secure flag".