When using a persistence profile with HTTP Cookie Type, the HTTPOnly attribute is not being set in the cookies
search cancel

When using a persistence profile with HTTP Cookie Type, the HTTPOnly attribute is not being set in the cookies

book

Article ID: 383457

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

When persistence profile is configured using the HTTP Cookie Type, it is seen that the cookies being sent to the pool servers do not have the "HTTPOnly" attribute set, even though the HTTP Application Profile used by the virtual service has the "HTTP-Only" parameter set.

Cause

When using the persistence profile type of "HTTP Cookie", the setting to add "HTTPOnly" attribute to the persistence cookies is configured within the persistence profile settings, not the HTTP Application Profile settings.
The "HTTP-Only" cookies setting in the HTTP Application profile is not used in this case.

Resolution

To enable the HTTPOnly setting for the persistence cookies, it currently needs to be configured through the CLI.

To verify the current HTTP-Only setting in the persistence profile:

- SSH to the controller leader node and type shell to enter the Avi shell (and authenticate).

- Then enter the following command to view the persistence profile settings:

show applicationpersistenceprofile <profile name>

If http_only is set to False like in the screenshot below, or you do not see a value for http_only, then this setting needs to be set to True for HTTPOnly to be added to persistence cookies.

To change the setting to True, enter the following commands through the shell:

> configure applicationpersistenceprofile <profile name>

applicationpersistenceprofile> http_cookie_persistence_profile

applicationpersistenceprofile:http_cookie_persistence_profile> http_only

Overwriting the previously entered value for http_only

applicationpersistenceprofile:http_cookie_persistence_profile> save

applicationpersistenceprofile> save

>