Last Modified: Mar 28, 2025
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
16.1.4, 16.1.4.1, 16.1.4.2, 16.1.4.3, 16.1.5, 16.1.5.1, 16.1.5.2, 17.1.2, 17.1.2.1, 17.5.0
Opened: Dec 26, 2024 Severity: 3-Major
Illegal characters are present on the persistence cookie name after enabling the encryption of the pool name which violates RFC6265 Section 4.1.1 and RFC2616 Section 2.2.
Some HTTP implementations may reject the request or behave in unexpected manner after receiving HTTP headers with the cookie name containing an illegal character.
LTM cookie persistence is being used. The "encrypt-cookie-poolname" option is enabled in the cookie persistence profile.
If the intention is to hide the pool name being used with the virtual server, use an iRule to set the cookie persistence when routing requests to respective pools. A sample iRule can be similar to the following: when HTTP_REQUEST { switch -glob -- [string tolower [HTTP::host]] { "foobar1.com" { pool pool1 persist cookie insert "poolCookie1" } "foobar2.net" - "foobar2.org" { pool pool2 persist cookie insert "poolCookie2" } } } The virtual server would still need to have a cookie persistence profile. In this example, the cookie value is also going to be encrypted. ltm persistence cookie encrypt_cookie_value { app-service none cookie-encryption required cookie-encryption-passphrase <scrubbed> defaults-from cookie }
None