HttpOnly flag on a cookie prevents the client side code to access the cookie. More details here.
If you set this flag on the cookie in the HTTP_RESPONSE in the iRule, you get the below error :
when HTTP_RESPONSE {
HTTP::cookie insert name “UserName” value “john.doe” path “/” domain “xyz.com”
HTTP::cookie httponly “UserName” enable
}
Improper version invoked from within “HTTP::cookie httponly “UserName” enable”
If you create a cookie using the insert method the cookie is created with version 0. If you try to change Its version to 1 to avoid the above error, you will get another error.
when HTTP_RESPONSE {
HTTP::cookie insert name “UserName” value “john.doe” path “/” domain “xyz.com”
HTTP::cookie version “UserName” 1
HTTP::cookie httponly “UserName” enable
}
Illegal argument (line x) invoked from within “HTTP::cookie version “UserName” “1”
The right way to add the httponly flag to a cookie is to specify the version while you are inserting it and then set the httponly flag.
when HTTP_RESPONSE {
HTTP::cookie insert name “UserName” value “john.doe” path “/” domain “xyz.com” version 1
HTTP::cookie version “UserName” 1
HTTP::cookie httponly “UserName” enable
}
Testing
If you have a chrome extension like EditThisCookie which can let you view all the cookies for the web app, you can notice the HttpOnly flag checked for the cookie.
With httponly not enabled on the cookie, the cookie can be accessed via the client side script document.cookie
With httponly not enabled on the cookie, the cookie can NOT be accessed via the client side script document.cookie.
Ashish Gupta 