Forum Discussion

Olowndez's avatar
Icon for Nimbostratus rankNimbostratus
Jan 30, 2020

Encrypt the name or rename the AVR cookies

Hello folks:


I have some virtual servers which have the analytics profile enabled, so I am able to collect statistics of the traffic passing through such vs. However, after performing an Ethical Hacking procedure in my infrastructure, I was requested to rename the cookies that AVR uses such us: f5_cspm=; f5avrbbbbbbbbbbbbbbbb=; f5avrbbbbbbbbbbbbbbbb or encrypt their names. Such names are visible to attackers so I need them to be changed to some less F5-descriptive ones. Here there is only the process to rename the f5_cspm cookie. F5 says that the other cookies that start with f5avr cannot be renamed. How could achieve this requirement?




2 Replies


    ◘ You cannot modify a cookie name that is set by the AVR module.

    ◘ Beginning in BIG-IP 11.4.0, the cookie is also encrypted and should be considered safe by security scanning devices.

  • Zev's avatar
    Icon for Altostratus rankAltostratus

    You can most definitely use similar logic as the article points out:


    modify sys db avr.cookieprefix value "my new avr prefix"


    It is not controlled by the AVR module.