Set APM Cookies to HttpOnly

Question

During an internal PEN test of our APM implementation, our Security group was able to inject some Java script and steal the 2 APM cookies MRHSession and Last_MRHSession. We think we could prevent this by setting these cookies to HttpOnly but this option is not available in APM. Anybody run across this issue and able to resolve? Wondering if there might be an iRule that could be used here - any feedback greatly appreciated!

hooleylist · Answer

Hi John, 
&nbsp;  
&nbsp; Was there an actual vulnerability in APM or the web app?  Or how was someone able to inject Javascript?   
&nbsp;  
&nbsp; I believe the APM session cookies might need to be read via clientside script for some functionality, so I'm not sure setting the HttpOnly flag on both cookies would solve this issue in an acceptable manner. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Set APM Cookies to HttpOnly

1 Reply

Recent Discussions

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Reverse Proxy Not Behaving

Stable Firmware for F5

Related Content

Set the SameSite Attribute for LTM Persistence Cookies

set HTTPOnly in cookie

Setting up persistence in F5 XC

Decoding the IPv4 address from the persistence cookie

Cookie-based DDoS protection