For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ptate_72056's avatar
ptate_72056
Icon for Nimbostratus rankNimbostratus
Jan 23, 2009

Persistence cookies and security

Hi Everyone,     We've recently had a security audit reveal that the BigIP persistence cookie contains the IP address and the port of the node the user connected to.     I can se...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jan 23, 2009
Hi Phil,

 

 

As the client should never need to read or modify this cookie, you can encrypt the cookie value using the 9.4+ HTTP profile option 'Encrypt Cookies'. Enter the name of the cookie and a passphrase to use. Make sure to create a custom HTTP profile rather than modifying the default HTTP profile so this option will only be used on the specific VIP(s) you want it for.

 

 

If you're on an older version of LTM, you could use an iRule to encrypt the cookie value using 'HTTP::cookie encrypt|decrypt' in HTTP_RESPONSE and HTTP_REQUEST, respectively.

 

 

Aaron