How to mark Azure Application Gateway cookie-based aiffinity as secure and httponly using rewrite

nhshovon 16 Reputation points
2021-08-13T16:26:47.783+00:00

I'm using WAF V2 and enabled cookie-based affinity. But seems like the cookie-based affinity cookies (ApplicationGatewayAffinity, ApplicationGatewayAffinityCORS) are not marked as httponly and secure.

How I can mark those cookies as httponly and secure using Application Gateway Rewrites? Please help.

Azure Application Gateway
Azure Application Gateway
An Azure service that provides a platform-managed, scalable, and highly available application delivery controller as a service.
978 questions
Azure Web Application Firewall
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 23,731 Reputation points Microsoft Employee
    2021-08-17T07:08:31.383+00:00

    Hello @nhshovon , apologies for the delayed response here. Currently setting up httponly and secure flags using Application Gateway Rewrites is not supported. The team is aware of this limitation and has a roadmap to enhance cookie handling experience in future, meanwhile please feel free to upvote this feature request regarding the same.
    Currently the secure attribute is set when the request is sent using HTTPS, you can refer to this documentation for any additional details. Please let me know if there are any concerns. Thank you!