For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Nick_T_68319's avatar
Nick_T_68319
Icon for Nimbostratus rankNimbostratus
Aug 31, 2010

Cookie encryption

I have a lot of web sites using the F5 default cookie for the primary persistence method. When using this cookie, it names the cookie BIGipServerPOOLNAME. This is cool, but now I have a request to e...
config
design
brad_11480's avatar
brad_11480
Icon for Nimbostratus rankNimbostratus
Feb 28, 2012
I agree 100% with the statements regarding ways to encrypting these cookies.

 

 

I've been putting this off hoping that F5 would eventually realize that it needed to be addressed. At this point, however, our auditors are hounding us to get this corrected.. The 'plain text' persistence cookies are providing too much 'private' information and they need to be encrypted.

 

 

The auditors aren't hitting us on the name of the cookie.. yet.. but, yeah, that might happen too.. I think that can be changed but might have some other side-effects, if i remember correctly.

 

 

So the option seems to be either a zippy Irule that will do a wild card, or lots and lots of custom profiles. The latter is error prone. The former creates tons of unnecessary overhead.

 

 

Suggested solution:

 

1. System setting to encrypt all persistence cookies.

 

2. VIP setting to encrypt all persistence cookies.

 

2.a. VIP setting to encrypt all cookies.

 

3. HTTP profile allow wildcard entries for the list of cookies to encrypt.

 

 

Do 3 if nothing else can be done. I don't see that there has been anything done in this area, but could be wrong.. the cookies in the HTTP profile must be explicitly named .. all of them. for a VIP that works with a dozen resource pools, this list becomes quite long, and gee, all of them begin with BIGipServer . Dah... Help!?