F5 APM cookie F5_ST not supporting httpOnly - is there any explicit documentation on that?
Env: LTM 13.1.3.6 Hi - we are working to address with our Security department a vulnerability scan, which has pointed out that during APM-managed login sessions the cookie "F5_ST" is set without the httpOnly option. In the documentation for the APM cookies (https://support.f5.com/csp/article/K15387), it describes how this cookie is processed by Javascript - which makes complete sense of why it doesn't support httpOnly. However, we would benefit from an explicit statement to that effect. Is anyone aware of any such statement in F5 documentation? I have searched, but have not been able to find anything. I also can't find anything in devcentral (except individuals asking how to set httpOnly, without receiving any replies). If anyone is aware of any statement, even if not official, that supports my assertion that httpOnly cannot be used, that would be helpful in absentia of an explicit statement. Thank you!
Chrome browser not deleting APM authentication cookies
Does anyone know of any issues with Google Chrome and the APM authentication / session cookies? We have an issue when terminating an application session using the logout feature. With the Google Chrome browser the cookies are not being deleted as expected. With IE everything works as exepected. The Logout is detected and the Response instructs the browser to set some cookies including the "F5_ST" cookie to "deleted": The user is then redirected back to the application and the login page is requested. We can see that the F5_ST cookie has been removed: When we try the same with the Google Chrome browser, the logout is also detected and the response instructs the browser to set some Cookies including the "F5_ST" cookie to "deleted". The user is then redirected back to the application and the login page is request. We can see that the F5_ST cookies is still present with the previous value MRHsession cookies is now seen twice: Is anyone aware of any issues with Google Chrome that might explain this behaviour? This is leading to the APM module not displaying the login page by displaying the Error page with the message about the APM not being able to find the session information. Firefox is also working fine with this application. It is only Google Chrome. Many thanks,
