F5 Cookies - Vulnerabilities

Question

We have a VIP associated with default cookie persistence profile and below iRule configuration.

when HTTP_RESPONSE {

set myValues [HTTP::cookie names]

foreach mycookies $myValues {

HTTP::cookie secure $mycookies enable

}

We exported the cookies using cookie editor, logged out the application. Then, imported the same cookies-especially SSO cookies, and did the refresh in browser, it automatically logging in without prompting for username and password. This is being observed as vulnerability.

Can someone help how this vulnerability can be fixed, so that we should not be able to login into the application using same cookies even after the logout.

erik_novak · Answer

If you have F5 Advanced WAF/ASM you can create a login page which will clear cookies on logout and force the client to login again.

network · Answer

Hi Erik,&nbsp;Thanks for your response!Our F5 box enabled with LTM module only. In this case, do we have any possibility to fix this issue by tweaking persistence profile or irule.&nbsp;

Forum Discussion

F5 Cookies - Vulnerabilities

Recent Discussions

F5 looses the token for the first call

ports are showing open on online scanning tool

self-directed requests fail because of no certificate

Decode ObjectSID from Base64-encode string

iRule - Url rewrite and header replace and pool selection not working

Related Content

F5 Device Administration/configuration - Vulnerabilities

June 2014 OpenSSL Vulnerabilities

Cookie Encryption Across Pools and Services

Request Logging - Session Cookie only

Samesite cookies on 1600's

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS