vADC Forum

Frequent Visitor
Posts: 1
Registered: ‎09-15-2016

Force Secure cookie

I have a backend IIS pool that uses port 80, behind a virtual server that decrypts the SSL. I want to ensure that the cookies the web site returns have the 'secure' flag set on them. What can I use in a response rule to enfore this? I've asked our developers to force it on their applications, but it's a long way down their task list and I'd find it easier to enforce this globally on the vTM with a rule.


Thanks in advance,


Posts: 13
Registered: ‎07-07-2016

Re: Force Secure cookie

Hi Dan,


You can do this through a Response Rule:


$setcookie = http.getResponseHeader( "Set-Cookie" );

if (! string.contains($setcookie, "Secure")) {
  $setcookie = $setcookie . "; Secure";
  http.setResponseHeader("Set-Cookie", $setcookie);




Posts: 15
Registered: ‎11-29-2012

Re: Force Secure cookie

An alternative (straightforward) approach would be to set the "cookie!secure" flag on the "protocol settings" page of the virtual server to "set the secure flag".

cookie settings for http virtual servers


Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.