Forum Discussion

Nimbostratus

May 15, 2012

Cookie security - Encryption vs Secure+HttpOnly

Howdy, We're currently running a tweak version of the rule here https://devcentral.f5.com/weblogs/J...style.aspx on our 10.2 LTM's. it doesn't work well and has never been well integrated in...

app sec

BIG-IP Access Policy Manager (APM)

security

hooleylist

Cirrostratus

Jun 01, 2012

Hi Chris,

As you said, HttpOnly is an attempt to mitigate XSS. Encrypting cookies mitigates cookie value tampering and possibly information disclosure if you're using cookie values with meaningful data (as opposed to session IDs, etc). But encryption does nothing to prevent use of another user's cookies by a malicious user.

There is a fairly significant performance hit with encrypting cookie values so I'd only use it if you're concerned about information disclosure or cookie tampering.

Aaron

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Cookie security - Encryption vs Secure+HttpOnly

Recent Discussions

how to whitelist new source IP on F5 web UI access

F5 to read a combined CRL file

Upgrade F5 BIGIP

ISP Load Balancing, SNAT pool instead of Automap link self-ip, anyway to do health check ?

MAC address of deleted VS IP address still responsive

Related Content

F5 Security Podcasts

Secure and HTTPonly cookie

My Security+ Certification Journey

Certifications for security professionals

API security

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS