Bug ID 755628: Deleted APM cookies missing 'secure' and 'HttpOnly' flags

Last Modified: Sep 14, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
14.1.0,,,,,, 14.1.2,,,,,,,,, 14.1.3,, 14.1.4,,,,,,, 14.1.5,,,,,

Fixed In:

Opened: Jan 16, 2019

Severity: 2-Critical


Returned deleted cookies are missing 'secure' and/or 'HttpOnly' flags.


Some vulnerability scanners may detect that as security issue.


When APM cookies with 'secure' and 'HttpOnly' flags are deleted, those flags are missing in response Set-Cookie: headers.


iRule like the next: when HTTP_RESPONSE_RELEASE { foreach mycookie [HTTP::cookie names] { HTTP::cookie secure $mycookie enable HTTP::cookie httponly $mycookie enable } }

Fix Information

Preserved the flags 'secure' and 'HttpOnly' for deleted APM cookies

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips