Forum Discussion
riyer_206339
Mar 14, 2017Nimbostratus
This is for encrypting Cookie content to improve security. It is a PCI requirement.
- sirwinstonMar 14, 2017Nimbostratus
But I don't think encrypting the JSESSIONID cookie improves security at all. It is just a random value that is a pointer to a session object in an application server (e.g. Tomcat). Encrypting it doesn't do anything but turning it into another random value. If a hacker gets hold of the encrypted JSESSIONID (s)he can still just pass it along with a request and it will get descrypted on the fly by LTM.
You could even argue that encryption even weakens your security as your are (arguably low) using CPU power for unnecessary stuff.