Last Modified: Nov 07, 2022
Known Affected Versions:
11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.10, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1
11.6.0, 11.5.4 HF2
Opened: Jun 30, 2014 Severity: 3-Major
If cookie persistence is configured, then persistence cookies will be sent to the client. However, if the persistence profile is overridden by an iRule "persist" command, that cookie should not be sent.
1) Extra persistence cookies may be included in a response even if they are not required by the current persistence method. 2) Passive cookies may not be encrypted in some situations.
1) A cookie persistence profile is used, and it is overridden to some other persistence method via an iRule. 2) Passive cookie persistence is used, the "always send" option is off, and cookie encryption is enabled.
1) The extra cookie can be removed by an iRule. 2) Turn the "always send" option on if using passive persistence cookies.
1) Persistence cookies will not be inserted if the persistence method is changed from cookie persistence to some other persistence method. 2) Passive persistence cookies will be encrypted even if the "always send" option is off.