Forum Discussion

Cirrostratus

Mar 09, 2016

APM SessionCookie MRHSession and CSRF

Does the APM MRHSession Cookie have any protections against a CSRF based attack? If we have a Spring application behind APM, do I need to worry about CSRF at the application level? http://docs.s...

MVP

Mar 09, 2016

Hi Walther,

the MRHSession session cookie is used for APM per-request authorization.

So the cookie "as is" can't be used to protect against CSRF attacks, if the user remains logged on. You'll would need additional iRule codings to use this cookie to protect against CSRF attacks (e.g. STREAM inject the MRHSession cookie value as a hidden

to your pages). But doing so would introduce additional risks to the MRHSession cookie, so better use an independent and randon cookie value for CSRF mitigation).

Cheers, Kai

Forum Discussion

APM SessionCookie MRHSession and CSRF

Recent Discussions

LDAPS and renegotiation

F5Access | MacOS Sonoma

Content type hearder charset=UTF-8

Web acceleration

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

Related Content

How To Protect Your Applications from Cross Site Request Forgery (CSRF) with F5 Distributed Cloud

What is MRH? IE. MRHSession cookie

CSRF Prevention with F5's BIG-IP ASM v10.2

Rename default MRHsession cookie?

Remained MRHSession cookie cause login issue to Vmware horizon at 2nd access with MS Edge