For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Apr 26, 2014

Let's say you created the MYSITE cookie as a result of a successful authentication to one of the first two sites. Let's also say that you gave that cookie the value of the authenticated session ID, the MRHSession value from that site. When the client made a request to the third site and passed this cookie, you could check the state of that session cookie with the ACCESS::policy result -sid command. You may have to be careful with this approach though. Given that the browser will send this cookie to any site that matches the domain, you may be sending an active session token to other sites unintentionally. Another option may be to generate a unique ID, insert that into a subtable, and then use that value in the MYSITE cookie. The session table is global, so when the third site receives the MYSITE cookie, it can verify it against the session table. Other sites may still unintentionally see this cookie value, but it wouldn't be exposing an active session ID.