For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

DaveC_53879's avatar
DaveC_53879
Icon for Nimbostratus rankNimbostratus
May 06, 2011

cookie persistence sendfor: http only

Need help with cookie persistence. LTM version 9.4.6. How do I set the F5 cookie to http only?
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
May 09, 2011
Just to clarify, the cookie insert persistence cookie contains an encoding of the pool member IP:port as described in SOL6917:

 

 

sol6917: Overview of BIG-IP persistence cookie encoding

 

https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html

 

 

So it does contain what could be considered sensitive data as it exposes the server IP addresses and ports from the pool. If that's a concern for you, you can encrypt the cookie value using a custom HTTP profile:

 

 

sol7784: Overview of cookie encryption

 

http://support.f5.com/kb/en-us/solutions/public/7000/700/sol7784.html

 

 

That said, the fact that the persistence cookie is accessible from clientside scripts is somewhat irrelevant as it's not specific to the client's session--an attacker could get all of the possible cookie values just by making requests to the virtual server.

 

 

Aaron