Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Set APM Cookies to HttpOnly

During an internal PEN test of our APM implementation, our Security group was able to inject some Java script and steal the 2 APM cookies MRHSession and Last_MRHSession. We think we could prevent this by setting these cookies to HttpOnly but this option is not available in APM. Anybody run across this issue and able to resolve? Wondering if there might be an iRule that could be used here - any feedback greatly appreciated!
0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER
Hi John,

Was there an actual vulnerability in APM or the web app? Or how was someone able to inject Javascript?

I believe the APM session cookies might need to be read via clientside script for some functionality, so I'm not sure setting the HttpOnly flag on both cookies would solve this issue in an acceptable manner.

Aaron
0