Forum Discussion
Hamish
Jan 05, 2010Cirrocumulus
More thoughts...
There is also the possibility that someone could alter the information in the cookie to deliberately target a particular backend server without going through the correct load-balancing sequence for a user without a current session...
Which begs a question...
When the F5 receives a cookie for the poolmember, is it validated against the configured poolmembers? Or is it just used as it is? I'm raising a case on our F5 support contract to verify what happens here because it has implications on some work we're doing here too...
(I'm not sure if could be validated in a fast & scalable way. Because an iRule can over-ride the pool & poolmember being used [and more questions arise from this]. Unless the BigIP keeps a list of all pools and poolmembers it's ever used... But I could surmise forever on this one. Hopefully we can get a definitive answer - It's possible SOL9815 answers this already, but in a bit of a round-about manner).
Of course this would be all moot if the cookie value was opaque... (i.e. a key into a hash table that had the information in it)... But that isn't as scalable of course. Although is in theory safer than either un-encrypted or even encrypted cookies.