http_to_https http profile rule question

What's VIP stand for, sorry? Virtual IP? What I was calling a listener?

 

 

 

Yeah, it's a bad shorthand for virtual server (IP and port). I guess it should be VS as VIP should mean virtual IP address.

 

 

I'm still not sure exactly what issue WebInspect is reporting. WI makes a request to an HTTPS VIP and receives a local reference redirect Location to /Anon02/Anon02.aspx. That's coming from the web app, not LTM. And even though RFC2616 states Location header URLs must be absolute (containing a full URL including the protocol), every major browser I've ever tested with will make a new GET request to the same host over the same protocol. So the client should make a request to https://anon.com:443/Anon02/Anon02.aspx. No cookies have been sent over HTTP in the two requests.

 

 

WebInspect seems to be confusing an initial http request with a 302 response (the 2nd 302 response, from our web site) with cookie data to be "insecure".

 

 

 

In past testing with WI, I haven't seen that problem, so I'm still not clear what the issue is. Can you post the full (anonymized) details from WI for this?

 

 

Aaron