For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Melinda_60516's avatar
Melinda_60516
Icon for Nimbostratus rankNimbostratus
Jun 05, 2015

how to setup persistence to concatenate jvmRoute with JSESSIONID to generate final SESSIONID

Hi, Can anyone help with how to setup persistence for a request as below:   We are going to be setting a "jvmRoute" variable in tomcat, and need to configure the F5 load balancer to concatenate it...
riyer_206339's avatar
riyer_206339
Icon for Nimbostratus rankNimbostratus
Mar 14, 2017

This is for encrypting Cookie content to improve security. It is a PCI requirement.

 

  • sirwinston's avatar
    sirwinston
    Icon for Nimbostratus rankNimbostratus
    Mar 14, 2017

    But I don't think encrypting the JSESSIONID cookie improves security at all. It is just a random value that is a pointer to a session object in an application server (e.g. Tomcat). Encrypting it doesn't do anything but turning it into another random value. If a hacker gets hold of the encrypted JSESSIONID (s)he can still just pass it along with a request and it will get descrypted on the fly by LTM.

     

    You could even argue that encryption even weakens your security as your are (arguably low) using CPU power for unnecessary stuff.