For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Aug 26, 2015

I'm going to go out on a limb here and say, based on testing, that cookies encrypted with the HTTP profile cookie encryption cannot be decrypted with the HTTP::cookie decrypt command (and vice versa), nor would you need to do this. The HTTP cookie encryption option performs both encryption and decryption on cookies that pass through the proxy.

Further, I attempted to encrypt the MRHSession cookie with the HTTP profile encryption option and that completely broke the access session. If you're not trying to encrypt the access session cookies, then simply applying the HTTP profile cookie encryption option should both encrypt and decrypt any other (designated) cookies. Now, if you wanted to encrypt the MRHSession access session cookie, that could actually be done with layered virtuals. Put an LTM VIP in front of your APM VIP and apply the HTTP profile cookie encryption there.

when CLIENT_ACCEPTED {
    virtual [internal VIP name]
}