cancel
Showing results for 
Search instead for 
Did you mean: 

Cookies, jsessionid and encryption

Brian_Achenbaugh
Altostratus
Altostratus

Hi All, 

Im relatively new to this. Our company had a third party do a pentest on our External apps in a DMZ. We had one call out for cookie information disclosure, so we turned on cookie encryption. We had an additional jsessionid vuln so we went in and did the universal and set the time out for the prior cookie persist if we ended up making the change for the same app that had a vuln cookie(hope this make sense). My question is, by replacing the encrypted cookie persist profile with the new universal jsessionid which sets secure and http. does that negate the cookie encryption and now we are disclosing that info again, even though we are protecting the jsessionid? I see there is a way to have both by turning on cookie encryption via http profile. Really trying to understand. Thanks

3 REPLIES 3

Brian_Achenbaugh
Altostratus
Altostratus

sorry i found the answer, this is resolved. thanks

PSilva
Community Manager
Community Manager

Maybe add the solution if others are experiencing the same? 

ps

So based on the info in this article:

https://community.f5.com/t5/technical-forum/how-can-i-insert-pool-member-ip-into-cookie-when-using-u...

The person wanted to actually insert load balancing info into the universal persistence cookie as it wasnt there, so that sort of cleared my concern that it would be exposed like in a normal load balancing cookie. Im hoping my assumption was correct.