Forum Discussion
Kai_Wilke
Mar 09, 2016MVP
Hi Walther,
the MRHSession session cookie is used for APM per-request authorization.
So the cookie "as is" can't be used to protect against CSRF attacks, if the user remains logged on. You'll would need additional iRule codings to use this cookie to protect against CSRF attacks (e.g. STREAM inject the MRHSession cookie value as a hidden
to your pages). But doing so would introduce additional risks to the MRHSession cookie, so better use an independent and randon cookie value for CSRF mitigation).
Cheers, Kai