Forum Discussion

Cirrostratus

Mar 09, 2016

APM SessionCookie MRHSession and CSRF

Does the APM MRHSession Cookie have any protections against a CSRF based attack? If we have a Spring application behind APM, do I need to worry about CSRF at the application level? http://docs.s...

application delivery

ASM Advanced WAF

BIG-IP Access Policy Manager (APM)

security

Kai_Wilke

MVP

Mar 09, 2016

Hi Walther,

the MRHSession session cookie is used for APM per-request authorization.

So the cookie "as is" can't be used to protect against CSRF attacks, if the user remains logged on. You'll would need additional iRule codings to use this cookie to protect against CSRF attacks (e.g. STREAM inject the MRHSession cookie value as a hidden

to your pages). But doing so would introduce additional risks to the MRHSession cookie, so better use an independent and randon cookie value for CSRF mitigation).

Cheers, Kai

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)