The remote load balancer suffers from an information disclosure vulnerability at port 80 and 443

 

Hi. Wrong forum for this question... You should be asking over in 'Advanced Design & Config', or maybe the iRule forums.

 

 

However

 

 

I'm not sure I ever agree with anyone who claims that letting users know your internal IP's and ports is a security problem... I tend to adhere more to the view that security by obscurity is no security at all. If your site is vulnerable to people knowing the backend IP's, then you have a bigger problem elsewhere rather than in the fact your cookies aren't opaque.

 

 

I tend to lump this 'vulnerability' in the same vein as running a secure webserver on port 443 is vulnerable because people can find it easier...

 

 

About the only real 'vulnerability' I could see from this is that over time someone might be able to determine how many backend servers you have... Which given they don't know how big they are doesn't tell them a lot other than how effiicient your code is over time.

 

 

If you're really feeling bothered there's an iRule available to encrypt and decrypt cookies for you. Checkout the codeshare.

 

 

regards

 

Hamish