For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rob_28_145615's avatar
Rob_28_145615
Icon for Nimbostratus rankNimbostratus
Feb 26, 2014

Same problem here, SharePoint 2010 with persistent cookies enabled on F5 in order to allow editing in Office. Until solution is found we decided to set timeout to 5 minutes, then added JS code to SharePoint master page to retrieve an image every 4 and half minutes. This resets expiry on persistent cookie for another 5 minutes, cutting down to max 5 minutes chance of someone unauthorized accessing the site on public computer. Still this is a hole that should not be there. I understand users should always click on Sign Out, but that’s not guaranteed. Chances are most of them will close the browser and assume they are logged out. Also, we can’t rely on public computers to be set to delete permanent cookies on browser closing.

 

Suggestion for permanent solution, assuming session cookies are killed on closing a browser: Create one browser session cookie and one persistent cookie when starting a new session. When browser is closed, session cookie will be deleted. If someone reopens the browser and tries to access the site, F5 should check for both session and persistent cookies. If they don’t match or one is missing, F5 should kill the session.

 

  • Mathieu_125197's avatar
    Mathieu_125197
    Icon for Nimbostratus rankNimbostratus
    Mar 10, 2014
    Hi Rob 28, I have the same situation in my architecture, so your solution interest me , could you give us detail the action to put in place to resolve this ( Delete cookie), maybe you use the Irule?
  • JariH's avatar
    JariH
    Icon for Nimbostratus rankNimbostratus
    Oct 01, 2014
    Hi, we faced the same problem with persistent APM session cookies. Customer is really mad. Users can access the web site after browser close. Does anyone have any template for this Cookie workaround that Rob 28 proposed above? It sounds like doable and valid solution, but I don't know correct events where that LB cookie should be created and where to be checked to prevent access to site. Thanks in advance
  • BrettReed_16317's avatar
    BrettReed_16317
    Icon for Nimbostratus rankNimbostratus
    Sep 07, 2016

    HAs anyone found a way to make this work - we have the same issue - moving from TMG which allows you to set cookies depending on whether you are using a public or private computer. Firefox works correctly, IE works using "contains" iRule but cannot get Chrome or Opera browser to perform correctly with their default settings