Cookies, jsessionid and encryption

Question

Hi All,&nbsp;Im relatively new to this. Our company had a third party do a pentest on our External apps in a DMZ. We had one call out for cookie information disclosure, so we turned on cookie encryption. We had an additional jsessionid vuln so we went in and did the universal and set the time out for the prior cookie persist if we ended up making the change for the same app that had a vuln cookie(hope this make sense). My question is, by replacing the encrypted cookie persist profile with the new universal jsessionid which sets secure and http. does that negate the cookie encryption and now we are disclosing that info again, even though we are protecting the jsessionid? I see there is a way to have both by turning on cookie encryption via http profile. Really trying to understand. Thanks

brian_achenbaugh · Answer

sorry i found the answer, this is resolved. thanks

brian_achenbaugh · Answer

So based on the info in this article:https://community.f5.com/t5/technical-forum/how-can-i-insert-pool-member-ip-into-cookie-when-using-universal/m-p/265343The person wanted to actually insert load balancing info into the universal persistence cookie as it wasnt there, so that sort of cleared my concern that it would be exposed like in a normal load balancing cookie. Im hoping my assumption was correct.

psilva · Answer

Maybe add the solution if others are experiencing the same?&nbsp;

Forum Discussion

Cookies, jsessionid and encryption

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

Decrypt, Encrypt, Decrypt, Encrypt, Encrypt....

Let's Encrypt

Encrypting Cookies

Cookie Encryption

Automate Let's Encrypt Certificates on BIG-IP