Forum Discussion
Mykola
Altostratus
AltostratusEnhancing Web Server Security via F5 Cookie Hash Exposure
I have a suggestion to improve web server security against CSRF attacks by leveraging the F5 load balancer's persistence cookie. Overview: - Current Functionality: F5 creates a persistence co...
MykolaAltostratus
Altostratuszamroni777, when a client makes an initial HTTP(s) request to the server, the F5 load balancer responds with a Set-Cookie header to set a persistent cookie. Are you saying that this persistent cookie is created by F5 in the first HTTP(s) request and can be passed to the server as a header by adding this irules or local traffic policy, even before the persistent cookie is sent to the client for the first time? This looks like a good solution, but needs to be tested. Thanks.
- zamroni777
Nacreous
the principal thing stays that client will only send persistence cookie in http requests after getting it in a previous http response.
so cookie value can only be read from second http request.however, you can override builtin f5 cookie insert mechanism using your own irules / traffic policies.
you can also use data from http response (session cookie, other http response header, data from http response payload, server ip addr and tcp port etc.) as source of persistence key
