For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Melinda_60516's avatar
Melinda_60516
Icon for Nimbostratus rankNimbostratus
Jun 05, 2015

how to setup persistence to concatenate jvmRoute with JSESSIONID to generate final SESSIONID

Hi, Can anyone help with how to setup persistence for a request as below:   We are going to be setting a "jvmRoute" variable in tomcat, and need to configure the F5 load balancer to concatenate it...
riyer_206339's avatar
riyer_206339
Icon for Nimbostratus rankNimbostratus
Mar 13, 2017

Hi All,

Along with above requirement, we would like to encrypt the Cookie content. So there is already a Profile under Persistence that we created to use HTTP Insert Cookie method and encrypt the Cookie content using a passphrase. I would like to know if it is okay to have a profile separately to encrypt along with this iRule or do we need to modify the iRule to have them together. Like, have JSESSIONID and encryption of Cookie content in a single iRule. 

when HTTP_RESPONSE {
 if { [HTTP::cookie exists "JSESSIONID"] } {
   persist add uie [HTTP::cookie "JSESSIONID"]
  }
}

when HTTP_REQUEST {
  if { [HTTP::cookie exists "JSESSIONID"] } {
    persist uie [HTTP::cookie "JSESSIONID"]
  }
}

Regards, Ram

  • sirwinston's avatar
    sirwinston
    Icon for Nimbostratus rankNimbostratus
    Mar 13, 2017

    I fail to see what the benefit of encrypting a JSESSIONID would be. By definition it is a random string. Encrypting it does not seem to have any value.

     

    You should make sure that it is marked as Secure and HttpOnly, but most application servers will do that by default.