F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

flomkrl_29950's avatar
flomkrl_29950
Icon for Nimbostratus rankNimbostratus
Nov 27, 2008

Cookie steal risk ?

Hello,     If an other user catch the BIGIP cookie, is it able to access to the application without authentification ? , i'm refering to IRULE ClientAuthUsingHTMLForms (http://devcentral.f5...
config
design
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Dec 02, 2008
A couple of small observations about cookies... And this iRule.

 

 

1. I don't think the cookie is set aas a 'secure' cookie. So in theory it's vulnerable to attack if it is presented to the site acorss an un-encrypted session

 

 

2. The cookie actually contains data... Encrypting it is of dubious use. No encryption of the cookie contents will stop someone from stealing it. It would only stop someone from looking at it & changing it themselves.

 

 

Note that in an iRule you're probably not going to get away from 2. Normally you'd keep a session table with the info on the web server and the cookie would be a random value key to look that info up (e.g in a hash table). But iRules don't really provide for that level of control.

 

 

Short answer is that there's nothing there to guarantee security. YMMV.

 

 

Hamish.