Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

F5 Cookies - Vulnerabilities

NetWork
Nimbostratus
Nimbostratus

‎21-Dec-2020 08:44

We have a VIP associated with default cookie persistence profile and below iRule configuration.

 

when HTTP_RESPONSE {

  set myValues [HTTP::cookie names]

  foreach mycookies $myValues {

   HTTP::cookie secure $mycookies enable

  }

 

We exported the cookies using cookie editor, logged out the application. Then, imported the same cookies-especially SSO cookies, and did the refresh in browser, it automatically logging in without prompting for username and password. This is being observed as vulnerability.

 

 

 

Can someone help how this vulnerability can be fixed, so that we should not be able to login into the application using same cookies even after the logout.

Labels:
0 Kudos
2 REPLIES 2

Erik_Novak
F5 Employee
F5 Employee

‎21-Dec-2020 09:35

If you have F5 Advanced WAF/ASM you can create a login page which will clear cookies on logout and force the client to login again.

0 Kudos

NetWork
Nimbostratus
Nimbostratus

‎21-Dec-2020 22:19

Hi Erik,

 

Thanks for your response!

Our F5 box enabled with LTM module only. In this case, do we have any possibility to fix this issue by tweaking persistence profile or irule.

 

0 Kudos
Copyright © 2023 Khoros, LLC