For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Andy_from_Sandy's avatar
Andy_from_Sandy
Icon for Nimbostratus rankNimbostratus
Aug 22, 2016

Unable to add access policy - getting Your session could not be established.

I have version 11.6.0 build 0.0.401 running in VMware workstation version 12 with a lab license. The other day I added extra VMs and one of them had the same IP address as I was using as the self-ip ...
BIG-IP
BIG-IP Access Policy Manager (APM)
devops
Cody_Green_1030's avatar
Cody_Green_1030
Historic F5 Account
Aug 26, 2016

By default the APM MRHSession cookie is only allowed over SSL/TLS, which in my opinion is the only secure way to use APM, and not over HTTP. The issue with APM over non-encrypted traffic is a malicious actor can steal your cookie and impersonate your session.

 

Now, if you absolutely have to use APM over non-encrypted traffic you can disable the Secure cookie option under the SSO/Auth Domains tab (Access Policy -> Access Profiles then SSO/Auth Domains will be on the top menu).