For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JMC-TN_184986's avatar
JMC-TN_184986
Icon for Nimbostratus rankNimbostratus
Aug 19, 2015

Persistence Cookie Random Values

Our QA department used to test servers by using Fiddler to override the encrypted persistence cookie value....this was in 10.2.4. They would hit the VIP and go through all the servers in the pool and...
application delivery
LTM
sfuerst_116779's avatar
sfuerst_116779
Historic F5 Account
Aug 19, 2015

If the persistence cookie is set up to be encrypted, then a random IV is used to do the encryption. (The IV is included in the base-64 encrypted result, allowing it to be decrypted again.) This means that the same unencrypted cookie can encrypt to many different results as the IVs can differ.

 

The reason for this is so that different clients of the website will get different persistence cookies. Cookies cannot be compared to determine any information about what the cookie originally was. (A simpler scheme would encrypt identical cookies to the same encrypted result. This would allow two users to see if they got the same encrypted = same unencrypted cookie, which would be a small information leak.)