APM SessionCookie MRHSession and CSRF

Question

Does the APM MRHSession Cookie have any protections against a CSRF based attack?&nbsp;
If we have a Spring application behind APM, do I need to worry about CSRF at the application level?
http://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html&nbsp;
I do not have an ASM license.&nbsp;

kai_wilke · Answer

Hi Walther,
the MRHSession session cookie is used for APM per-request authorization. 
So the cookie "as is" can't be used to protect against CSRF attacks, if the user remains logged on. You'll would need additional iRule codings to use this cookie to protect against CSRF attacks (e.g. STREAM inject the MRHSession cookie value as a hidden  to your pages). But doing so would introduce additional risks to the MRHSession cookie, so better use an independent and randon cookie value for CSRF mitigation).
Cheers, Kai

walter_kacynski · Answer

I thought I saw a reference to a "rolling" cookie value from the APM docs.  Maybe this is only used during policy evaluation?&nbsp;

Forum Discussion

APM SessionCookie MRHSession and CSRF

2 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

rSeries Configuration Backup

Questions on Migrating configs from iSeries to RSeries F5s

AST Configuration help

reading Client SSL Profile details via Ansible

Raise your hand if you'll be at AppWorld 2026

Related Content

How To Protect Your Applications from Cross Site Request Forgery (CSRF) with F5 Distributed Cloud

What is MRH? IE. MRHSession cookie

CSRF Prevention with F5's BIG-IP ASM v10.2

Rename default MRHsession cookie?

CSRF Protection not Working

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS