cancel
Showing results for 
Search instead for 
Did you mean: 

F5 Cookies - Vulnerabilities

NetWork
Nimbostratus
Nimbostratus

We have a VIP associated with default cookie persistence profile and below iRule configuration.

 

when HTTP_RESPONSE {

  set myValues [HTTP::cookie names]

  foreach mycookies $myValues {

   HTTP::cookie secure $mycookies enable

  }

 

We exported the cookies using cookie editor, logged out the application. Then, imported the same cookies-especially SSO cookies, and did the refresh in browser, it automatically logging in without prompting for username and password. This is being observed as vulnerability.

 

 

 

Can someone help how this vulnerability can be fixed, so that we should not be able to login into the application using same cookies even after the logout.

2 REPLIES 2

Erik_Novak
F5 Employee
F5 Employee

If you have F5 Advanced WAF/ASM you can create a login page which will clear cookies on logout and force the client to login again.

NetWork
Nimbostratus
Nimbostratus

Hi Erik,

 

Thanks for your response!

Our F5 box enabled with LTM module only. In this case, do we have any possibility to fix this issue by tweaking persistence profile or irule.