For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

DaveC_53879's avatar
DaveC_53879
Icon for Nimbostratus rankNimbostratus
May 06, 2011

cookie persistence sendfor: http only

Need help with cookie persistence. LTM version 9.4.6. How do I set the F5 cookie to http only?
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
May 06, 2011
Hi Dave,

Did this come up in a vulnerability report for your LTM hosted app? It is possible to append the HttpOnly flag to LTM's set-cookie header. However, the persistence cookie only dictates which pool member LTM sends requests to. There aren't any significant security concerns with an attacker getting this as it's not used (at least by default) by LTM for anything security related.

If you do want to append the HttpOnly flag, you could try something like this: 


when SERVER_CONNECTED {

    Save the name of the currently connected pool
   set pool_name [LB::server pool]
}
when HTTP_RESPONSE {

    Check if the response contains the persistence cookie
   if {[HTTP::cookie BIGipServer${pool_name}] ne ""}{

       Replace the last Set-Cookie header value with the same value and ; HttpOnly appended
      HTTP::header replace Set-Cookie "[HTTP::header Set-Cookie]; HttpOnly"
   }
}

Aaron