Forum Discussion

D_T's avatar
D_T
Icon for Cirrus rankCirrus
Feb 16, 2023

Removal of Client Side F5 Persistence Pool Cookie

I am seeing the F5 persistence pool cookies showing on the client side browser when viewing via inspection tools:

BIGipServer~application~po*

I would like to remove these so the pools are not exposed to viewers of the website. I assigned the following rule to the VIP but it does not appear to be clearing these out:

 

when HTTP_RESPONSE_RELEASE {
set cookies [HTTP::cookie names]
foreach aCookie $cookies {
if {$aCookie matches_regex {^BIGipServer(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
# Remove ASM Cookies
HTTP::cookie remove $aCookie
}
}
}

 

  • This is exactly how Cookie Persistence method works and if you remove the cookie you break the functionality. There are alternative cookie persistence methods you might consider. Check them below:

    Overview of cookie persistence (f5.com)

    In addition to it, I recommend you to enable encryption on your current cookie persistence method. This will prevent  malicious users to revert the value of the cookie into IP address of your pool member. 

1 Reply

  • This is exactly how Cookie Persistence method works and if you remove the cookie you break the functionality. There are alternative cookie persistence methods you might consider. Check them below:

    Overview of cookie persistence (f5.com)

    In addition to it, I recommend you to enable encryption on your current cookie persistence method. This will prevent  malicious users to revert the value of the cookie into IP address of your pool member.