NetWork
Dec 21, 2020Nimbostratus
F5 Cookies - Vulnerabilities
We have a VIP associated with default cookie persistence profile and below iRule configuration.
when HTTP_RESPONSE {
set myValues [HTTP::cookie names]
foreach mycookies $myValues {
HTTP::cookie secure $mycookies enable
}
We exported the cookies using cookie editor, logged out the application. Then, imported the same cookies-especially SSO cookies, and did the refresh in browser, it automatically logging in without prompting for username and password. This is being observed as vulnerability.
Can someone help how this vulnerability can be fixed, so that we should not be able to login into the application using same cookies even after the logout.