Nimbostratus
WE are failing a security audit due to having a predicitable session ID number for the HTTP protocol.
We have a group of webservers in a pool and a virtual server polls from the pool, we use cookies for the
persistence profile. Is this a problem in the F5 or should I look in the IIS 6 webservers sitting in the pool.
The F5 handles the HTTP and HTTPS traffic.
Thanks
Cirrostratus
I would guess the security audit is errantly identifying the LTM persistence cookie as predictable because the values of the cookie doesn't change over the course of multiple users' sessions. The persistence cookie is not a session identifier--it is simply an encoding of the pool member's IP address and port. You can check SOL6917 for details on the encoding:
SOL6917: Overview of BIG-IP LTM cookie encoding for the cookie persistence profile
https://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html
If you consider the exposure of the server IP:port a security risk, you could configure LTM to encrypt the persistence cookie value using the HTTP profile option. I think this option was added at some point in 9.4.x.
Aaron