For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Siva_107534's avatar
Siva_107534
Icon for Nimbostratus rankNimbostratus
Dec 28, 2009

How to encrypt the cookies generated by LTM?

Hi All,   How to encrypt the cookie information generated by LTM in the browser, becoz   by default cookies in the browser displays the Internal Pool IP of web servers   accessed...
application delivery
dev
devops
iRules
Chris_Olson's avatar
Chris_Olson
Icon for Nimbostratus rankNimbostratus
Dec 10, 2010
Help. We are using 9.3.1 and got hit on a vulnerability scan for unencrypted cookies. I used the link http://devcentral.f5.com/wiki/defau...okies.html

 

to create the irules needed for this. Our QA tested and advised us all was well. We attempted to roll out to production and got many failures and had to roll back. I thought it had to do with existing sessions and once the user logged back in he/she would be OK. My own testing showed that the irule would force you back to the login page every time you clicked on a different feature of the application. After logging off and on to the site 3 times, everything appeared to be working. In addition to the irule, we created a custom cookie and named it app_cookie to match the irule.

 

The error message and irule are shown below. I can turn debugging on if needed but would like some insight please.

 

Thank you,

 

Chris

 

 

Code is here: http://pastebin.com/QwsVjzfs

 

 

I don't know how to post it here properly.