Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
May 08, 2007

Where do session cookies live?

This is a quick question that I hope is easy to answer.     When a BigIP (9.x) creates a cookie, clearly its a "session" (in-memory) cookie, and not a file-based cookie. Where then is that cooki...
application delivery
dev
devops
irules
Michael_Everet1's avatar
Michael_Everet1
Historic F5 Account
May 10, 2007
Thanks for the response...

 

 

The cookie is a session cookie in both v4 and v9.. Problem is that our cookie isn't handled directly by the client browser, but by code in the middle. The worst part, the application team cannot locate the source code that is handling this function. I suspect it easier for me to implement a rule, then get app developers to change code they can't find, for a project they aren't accountable for.

 

 

I am still using a cookie insert profile, to generate the cookie on the first request. I was thinking the logic that checks to see if the cookie is present in the request, then setting the need_bigip variable would suffice for checking..

 

 

Is there a better way..