F5 Cookies - Vulnerabilities

Question

We have a VIP associated with default cookie persistence profile and below iRule configuration.

when HTTP_RESPONSE {

set myValues [HTTP::cookie names]

foreach mycookies $myValues {

HTTP::cookie secure $mycookies enable

}

We exported the cookies using cookie editor, logged out the application. Then, imported the same cookies-especially SSO cookies, and did the refresh in browser, it automatically logging in without prompting for username and password. This is being observed as vulnerability.

Can someone help how this vulnerability can be fixed, so that we should not be able to login into the application using same cookies even after the logout.

erik_novak · Answer

If you have F5 Advanced WAF/ASM you can create a login page which will clear cookies on logout and force the client to login again.

network · Answer

Hi Erik,&nbsp;Thanks for your response!Our F5 box enabled with LTM module only. In this case, do we have any possibility to fix this issue by tweaking persistence profile or irule.&nbsp;

Forum Discussion

F5 Cookies - Vulnerabilities

2 Replies

Recent Discussions

Port Group on F5OS network setting

F5Access | MacOS Sonoma

Rewrite uri translation not working

Chrome V 124+ on MacOS - Virtual Server Access Issue

Transaction looks successful but file not downloading

Related Content

Python script to test if a F5 BIG-IP is vulnerable to cve-2023-46747

Re: Mitigation of OWASP API6: 2019 Mass Assignment vulnerability using F5 Distributed Cloud Platform

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Mitigation for F5 vulnerabilities (November 2022)

Vulnerability CVE-2023-45648 in ApacheTomcat