For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mahmad2_222556's avatar
mahmad2_222556
Icon for Nimbostratus rankNimbostratus
Sep 14, 2018

Disable http for Cookie persistance setup

We have a requirement from an IVR vendor to enable Cookie without HTTP. I tried to configure Cookie w/o http and got an error that Cookie persistence requires an HTTP or FastHTTP profile to be associ...
application delivery
LTM
Aaron_Booker's avatar
Aaron_Booker
Icon for Employee rankEmployee
Sep 15, 2018

If you are going to use cookie persistence, for this application running through BIG-IP, it sounds like you need to disable the HTTPOnly Attribute in the cookie persistence profile. Without the HttpOnly flag a client side script can access the cookie. I should note that the HttpOnly flag protects against XSS attacks. Here is more information:

 

K83419154: Overview of cookie persistence

 

OWASP article about HttpOnly