Forum Discussion

NetWork's avatar
Icon for Nimbostratus rankNimbostratus
Dec 21, 2020

F5 Cookies - Vulnerabilities

We have a VIP associated with default cookie persistence profile and below iRule configuration.



  set myValues [HTTP::cookie names]

  foreach mycookies $myValues {

   HTTP::cookie secure $mycookies enable



We exported the cookies using cookie editor, logged out the application. Then, imported the same cookies-especially SSO cookies, and did the refresh in browser, it automatically logging in without prompting for username and password. This is being observed as vulnerability.




Can someone help how this vulnerability can be fixed, so that we should not be able to login into the application using same cookies even after the logout.

2 Replies

  • If you have F5 Advanced WAF/ASM you can create a login page which will clear cookies on logout and force the client to login again.

  • Hi Erik,


    Thanks for your response!

    Our F5 box enabled with LTM module only. In this case, do we have any possibility to fix this issue by tweaking persistence profile or irule.