Setting HTTPOnly or Secure flag for Session Affinity cookie

In this guide you learn to create a Rewrite set for your Application Gateway and configure Secure and HttpOnly ApplicationGatewayAffinity cookie.

Prerequisites

  • You must have an Azure subscription. You can create a Trial before you begin.
  • An existing Application Gateway resource configured with at least one Listener, Rule, Backend Setting and Backend Pool configuration. If you don't have one, you can create one by following the QuickStart guide.

Important

If your backend application returns multiple Set-Cookie headers (for example, application cookies in addition to the ApplicationGatewayCookie), the simple pattern matching approach shown in this article will apply the rewrite to all Set-Cookie headers. To target only the ApplicationGatewayCookie specifically, use the HeaderValueMatcher pattern matching feature. For more information, see Pattern matching for Set-Cookie headers.

Creating a Rewrite set

  1. Sign in to the Azure portal.
  2. Navigate to the required Application Gateway resource.
  3. Select Rewrites in the left pane.
  4. Select Rewrite set.
  5. Under the Name and Association tab
    1. Specify a name for this new rewrite set.
    2. Select the routing rules for which you wish to rewrite the ApplicationGatewayAffinity cookie's flag.
    3. Select Next.
  6. Select "Add rewrite rule"
    1. Enter a name for the rewrite rule.
    2. Enter a numeric value for Rule Sequence field.
  7. Select "Add condition"
  8. Now open the "If" condition box and use the following details.
    1. Type of variable to check - HTTP header
    2. Header type - Response header
    3. Header name - Common header
    4. Common header - Set-Cookie
    5. Case-sensitive - No
    6. Operator - equal (=)
    7. Pattern to match - (.*)

      Note

      This pattern (.*) matches all Set-Cookie headers. If you need to target only the ApplicationGatewayCookie and preserve other Set-Cookie headers, see Pattern matching for Set-Cookie headers to use the HeaderValueMatcher feature.

    8. To save these details, select OK.
  9. Go to the Then box to specify action details.
    1. Rewrite type - Response header
    2. Action type - Set
    3. Header name - Common header
    4. Common header - Set-Cookie
    5. Header value - {http_resp_Set-Cookie_1}; HttpOnly; Secure
    6. Select OK
  10. Select Update to save the rewrite set configurations.

Next steps

  • Last updated on