diff --git a/patterns/1f0702aaabef60a615abf41f_resources/resources.zip b/patterns/1f0702aaabef60a615abf41f_resources/resources.zip
index 88b4b41..3c642f5 100644
Binary files a/patterns/1f0702aaabef60a615abf41f_resources/resources.zip and b/patterns/1f0702aaabef60a615abf41f_resources/resources.zip differ
diff --git a/patterns/204c22beaccdfd22727af378_labels/labels.zip b/patterns/204c22beaccdfd22727af378_labels/labels.zip
index a979d99..32e9da6 100644
Binary files a/patterns/204c22beaccdfd22727af378_labels/labels.zip and b/patterns/204c22beaccdfd22727af378_labels/labels.zip differ
diff --git a/patterns/204c22beaccdfd22727af378_template/webdata.zip b/patterns/204c22beaccdfd22727af378_template/webdata.zip
index 16f39bb..262b1e6 100644
Binary files a/patterns/204c22beaccdfd22727af378_template/webdata.zip and b/patterns/204c22beaccdfd22727af378_template/webdata.zip differ
diff --git a/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml b/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml
index 1e5ed6b..e65e67d 100644
--- a/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml
+++ b/patterns/4c65de021d362462324a3a5f_authStatesFile/SendSamlResponseWithErrorState.xml
@@ -2,7 +2,7 @@
     <Response value="AUTH_ERROR">
         <Gui name="NotUsed"/>
     </Response>
-    <property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
+    <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
     <property name="scriptTraceGroup" value="AGOV-ACCT"/>
     <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithError.groovy"/>
 </AuthState>
\ No newline at end of file
diff --git a/patterns/4f6692a69e4f33c8ed4c145f_script/responseHeaderPostProcessing.lua b/patterns/4f6692a69e4f33c8ed4c145f_script/responseHeaderPostProcessing.lua
new file mode 100644
index 0000000..ce29239
--- /dev/null
+++ b/patterns/4f6692a69e4f33c8ed4c145f_script/responseHeaderPostProcessing.lua
@@ -0,0 +1,12 @@
+function outputHeader(request, response)
+    trace = request:getTracer()
+
+    -- rename Set-Cookie2 header
+    local setCookieHeader = response:getHeader("Set-Cookie2")
+    if (setCookieHeader ~= nil) then 
+        trace:debug("Set a new cookie: " .. setCookieHeader)
+        response:addHeader("Set-Cookie", setCookieHeader)
+        response:removeHeader("Set-Cookie2")
+    end
+
+end
\ No newline at end of file
diff --git a/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip b/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip
index a979d99..32e9da6 100644
Binary files a/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip and b/patterns/4fcfadb4a5c946ead7e6e995_labels/labels.zip differ
diff --git a/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip b/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip
index 16f39bb..262b1e6 100644
Binary files a/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip and b/patterns/4fcfadb4a5c946ead7e6e995_template/webdata.zip differ
diff --git a/patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml b/patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml
index 625bd28..70a4c19 100644
--- a/patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml
+++ b/patterns/6d83506dfcc430c12d81dfa3_authStatesFile/AskMobileNumber.xml
@@ -2,8 +2,9 @@
 	<ResultCond name="done" next="${state.done}"/>
 	<Response value="AUTH_CONTINUE">
 		<Gui name="ask_mobile_number" label="general.askMobileNumber">
-			<GuiElem name="mobile" type="text" optional="true"/>
-			<GuiElem name="skip" type="checkbox" value="false" optional="true"/>
+			<GuiElem name="mobile" type="text" label="mobile number" optional="true"/>
+			<!-- GuiElem name="skip" type="checkbox" label="skip me" value="false" optional="true"/ -->
+			<GuiElem name="skip" type="text" label="skip me" value="false" optional="true"/>
 			<GuiElem name="authRequestId" type="hidden" value="${sess:ch.nevis.auth.saml.request.id}" optional="true"/>
 			<GuiElem name="submit" type="button" label="continue.button.label" value="submit"/>
 		</Gui>
@@ -13,5 +14,5 @@
 	<property name="parameter.baseUrl" value="https://${param.idm-service:idm.adn-agov-nevisidm-01-dev}:8989/nevisidm/api"/>
     <property name="parameter.idm.httpclient.tls.keyObjectRef" value="DefaultKeyStore"/>
 	<property name="parameter.idm.httpclient.tls.trustStoreRef" value="${keystore}"/>
-	<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
+	<property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
 </AuthState>
diff --git a/patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy b/patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy
index 46cd9f0..95630dc 100644
--- a/patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy
+++ b/patterns/6d83506dfcc430c12d81dfa3_resources/askMobileNumber.groovy
@@ -6,6 +6,15 @@ import ch.nevis.idm.client.HTTPRequestWrapper
 import groovy.json.JsonSlurper
 import groovy.xml.XmlSlurper
 
+def getHeader(String name) {
+    def inctx = request.getLoginContext()
+    // case-insensitive lookup of HTTP headers
+    def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
+    map.putAll(inctx)
+    return map['connection.HttpHeader.' + name]
+}
+
+
 // Accounting
 def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
 def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
@@ -28,7 +37,45 @@ if (mobile) {
     response.setResult('done')
     return
 }
-if (inargs['submit'] && inargs['mobile']) {
+
+if (!inargs['submit'] && (!inargs['mobile'] || !inargs['mobile'].isEmpty()) && inargs['language'] && inargs['language'] != session['ch.nevis.session.user.language']) {
+    // language switch, nothing else to do, just display again the GUI
+    response.setStatus(AuthResponse.AUTH_CONTINUE)
+    return
+}
+
+// TODO/haburger/2024-11-24: check/adapt value of skip checkbox
+if (inargs['submit'] && (!inargs['mobile'] || inargs['mobile'].isEmpty()) && inargs['skip'] && inargs['skip'] == 'true') {
+    // no mobile, and user wants to skip it
+
+    LOG.info("Event='NOMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+    
+    // persistent cookie for 30d;
+    def agovSkipAskingMobileCookie = "agovSkipAskingMobile=true; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=2592000; SameSite=Strict; Secure; HttpOnly"
+    // setHeader doesn't support multiple headers with the same name, so we use
+    // a different one, and rewrite it in the proxy with Lua
+    response.setHeader('Set-Cookie2', agovSkipAskingMobileCookie)
+    response.setResult('done')
+    return
+}
+
+def agovSkipAskingMobileCookie = 'missing'
+
+if (getHeader('cookie') != null) {
+    def cookies = getHeader('cookie')
+    if (cookies.matches('^.*agovSkipAskingMobile=([^;]+).*$')) {
+        agovSkipAskingMobileCookie = cookies.replaceAll('^.*agovSkipAskingMobile=([^;]+).*$', '$1')
+    }
+}
+if (agovSkipAskingMobileCookie == 'true') {
+    // Don't aske the user again...
+    LOG.info("Event='SKIPPEDMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+    response.setResult('done')
+    return
+}
+
+
+if (inargs['submit'] && inargs['mobile'] && !inargs['mobile'].isEmpty()) {
     String result
 
     def patchBdy = "{\"contacts\":{\"mobile\":\"${inargs['mobile']?.trim()}\"},\"modificationComment\":\"added mobile number from user during request ${requestId}\"}"
diff --git a/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml b/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
index 1af8a28..a5898a8 100644
--- a/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
+++ b/patterns/7a913eec7f78ce674cd87854_authStatesFile/IDP_IDP_Status_Check_State.xml
@@ -4,6 +4,6 @@
     <Response value="AUTH_ERROR">
     </Response>
     <property name="scriptTraceGroup" value="AGOV-ACCT"/>
-    <property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
+    <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
     <property name="script" value="file:///var/opt/nevisauth/default/conf/idp_status_check.groovy"/>
 </AuthState>
diff --git a/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml b/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml
index dafeec6..955feea 100644
--- a/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml
+++ b/patterns/826166d230a6a4849f2837ae_authStatesFile/returnTimeoutButKeepSessionState.xml
@@ -2,6 +2,6 @@
     <Response value="AUTH_CONTINUE">
         <Gui name="NotUsed"/>
     </Response>
-    <property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
+    <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
     <property name="script" value="file:///var/opt/nevisauth/default/conf/returnTimeoutButKeepSession.groovy"/>
 </AuthState>
diff --git a/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml b/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml
index a02ff3c..2fd695a 100644
--- a/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml
+++ b/patterns/9ff0369f3cf662f95d94ff09_authStatesFile/EnsureRecoveryCode.xml
@@ -35,7 +35,7 @@
 	<property name="parameter.utility-service.baseUrl" value="${param.utility-service.baseUrl}"/>
 	<!--property name="parameter.idm.baseUrl" value="https://${param.idm-service:idm.adn-agov-nevisidm-01-dev}:8989/nevisidm/api"/-->
 	<property name="parameter.idm.httpclient.tls.trustStoreRef" value="Ensure_Recovery_Code"/>
-	<property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
+	<property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
 </AuthState>
 <AuthState name="${state.entry}_encryptCode" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="false">
 	<ResultCond name="default" next="${state.entry}_Process"/>
diff --git a/patterns/Auth_Realm_Main_IDP_4fcfadb4a5c946ead7e6e995.yml b/patterns/Auth_Realm_Main_IDP_4fcfadb4a5c946ead7e6e995.yml
index b4e57fa..11b6966 100644
--- a/patterns/Auth_Realm_Main_IDP_4fcfadb4a5c946ead7e6e995.yml
+++ b/patterns/Auth_Realm_Main_IDP_4fcfadb4a5c946ead7e6e995.yml
@@ -24,6 +24,6 @@ pattern:
     cookieName: "agov"
     initialSessionTimeout: "var://idp-authentication-session-timeout"
     sessionTimeout: "30m"
-    langCookieDomain: "var://auth_realm_main_idp-language-cookie-domain"
+    langCookieDomain: "var://agov-language-cookie-domain"
     resetAuthenticationCondition: "#{ (inargs.containsKey('SAMLRequest') and session.containsKey('ch.nevis.auth.saml.request.id'))\
       \ ? 'restart' : '' }"
diff --git a/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml b/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml
index 7dd2db3..179af8b 100644
--- a/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml
+++ b/patterns/Ensure_Recovery_Code_9ff0369f3cf662f95d94ff09.yml
@@ -9,9 +9,9 @@ pattern:
     authStatesFile: "res://9ff0369f3cf662f95d94ff09#authStatesFile"
     parameters: "var://ensure_recovery_code-parameters"
     onSuccess:
-    - "pattern://6d83506dfcc430c12d81dfa3"
+    - "pattern://2cdd910036aa06b102863a4f"
     onFailure:
-    - "pattern://6d83506dfcc430c12d81dfa3"
+    - "pattern://2cdd910036aa06b102863a4f"
     resources: "res://9ff0369f3cf662f95d94ff09#resources"
     keyObjects:
     - "pattern://bcfe78c02cbe0588528bc3cb"
diff --git a/patterns/IdP_ResponseHeader_Post_Processing_4f6692a69e4f33c8ed4c145f.yml b/patterns/IdP_ResponseHeader_Post_Processing_4f6692a69e4f33c8ed4c145f.yml
new file mode 100644
index 0000000..b4a1c15
--- /dev/null
+++ b/patterns/IdP_ResponseHeader_Post_Processing_4f6692a69e4f33c8ed4c145f.yml
@@ -0,0 +1,8 @@
+schemaVersion: "1.0"
+pattern:
+  id: "4f6692a69e4f33c8ed4c145f"
+  className: "ch.nevis.admin.v4.plugin.nevisproxy.patterns.LuaPattern"
+  name: "IdP_ResponseHeader_Post_Processing"
+  properties:
+    script: "res://4f6692a69e4f33c8ed4c145f#script"
+    phase: "BEFORE_SANITATION"
diff --git a/patterns/NotUsed_Auth_Realm_06aeae2d799e492f5580d03b.yml b/patterns/NotUsed_Auth_Realm_06aeae2d799e492f5580d03b.yml
index 2581283..633653d 100644
--- a/patterns/NotUsed_Auth_Realm_06aeae2d799e492f5580d03b.yml
+++ b/patterns/NotUsed_Auth_Realm_06aeae2d799e492f5580d03b.yml
@@ -20,4 +20,4 @@ pattern:
     logrend:
     - "pattern://097929211988398a87bcbb0c"
     initialSessionTimeout: "var://idp-authentication-session-timeout"
-    langCookieDomain: "var://auth_realm_main_idp-language-cookie-domain"
+    langCookieDomain: "var://agov-language-cookie-domain"
diff --git a/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml b/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml
index 3284825..e3b2294 100644
--- a/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml
+++ b/patterns/Virtual_Host_idp_1f0702aaabef60a615abf41f.yml
@@ -19,6 +19,7 @@ pattern:
     - "pattern://bcca48cd422668aa2f78ea42"
     - "pattern://3d45f250b698005a29eb58b6"
     - "pattern://162d4ee18e469c146df153cc"
+    - "pattern://4f6692a69e4f33c8ed4c145f"
     - "pattern://0d3511bed6798a78cc3237f6"
     - "pattern://64f16c5d4c99eff0acbc8fdf"
     - "pattern://0573c2491a56e59daca47e95"
diff --git a/patterns/_Auth_Realm_Recovery_204c22beaccdfd22727af378.yml b/patterns/_Auth_Realm_Recovery_204c22beaccdfd22727af378.yml
index 165b6c7..9cfd6fd 100644
--- a/patterns/_Auth_Realm_Recovery_204c22beaccdfd22727af378.yml
+++ b/patterns/_Auth_Realm_Recovery_204c22beaccdfd22727af378.yml
@@ -16,6 +16,6 @@ pattern:
     labels: "res://204c22beaccdfd22727af378#labels"
     cookieName: "agovRecovery"
     cookieSameSite: "Lax"
-    langCookieDomain: "var://auth_realm_main_idp-language-cookie-domain"
+    langCookieDomain: "var://agov-language-cookie-domain"
     resetAuthenticationCondition: "#{ (inargs.containsKey('cd')) ? 'restart' : ''\
       \ }"
diff --git a/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml b/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml
index c5690f0..88a217a 100644
--- a/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml
+++ b/patterns/b87d0d2b640e8e545ad70234_authStatesFile/SendSamlResponseWithAssertionState.xml
@@ -3,7 +3,7 @@
     <Response value="AUTH_DONE">
         <Gui name="not_used"/>
     </Response>
-    <property name="parameter.cookie.domain" value="${var.auth_realm_main_idp-language-cookie-domain}"/>
+    <property name="parameter.cookie.domain" value="${var.idp-fqdn}"/>
     <property name="scriptTraceGroup" value="AGOV-ACCT"/>
     <property name="script" value="file:///var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy"/>
 </AuthState>
\ No newline at end of file
diff --git a/variables.yml b/variables.yml
index 0723a4b..9ad399f 100644
--- a/variables.yml
+++ b/variables.yml
@@ -1,5 +1,12 @@
 schemaVersion: "1.0"
 variables:
+  agov-language-cookie-domain:
+    className: "ch.nevis.admin.v4.plugin.base.generation.property.SimpleTextProperty"
+    parameters:
+      minRequired: 0
+      maxAllowed: 1
+    value: ".agov-d.azure.adnovum.net"
+    requireOverloading: true
   agov_dev_idm-db-management:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.SelectionProperty"
     parameters:
@@ -92,13 +99,6 @@ variables:
       maxAllowed: 1
     value: "nevisauth"
     requireOverloading: true
-  auth_realm_main_idp-language-cookie-domain:
-    className: "ch.nevis.admin.v4.plugin.base.generation.property.SimpleTextProperty"
-    parameters:
-      minRequired: 0
-      maxAllowed: 1
-    value: ".agov-d.azure.adnovum.net"
-    requireOverloading: true
   auth_realm_main_sts_parameters:
     className: "ch.nevis.admin.v4.plugin.base.generation.property.TextProperty"
     parameters: