Forum Discussion
Hamish
Jan 05, 2010Cirrocumulus
I got an answer from F5...
Looks like the un-encrypted cookie is safe IF you're not performing 'Match Across Pools' or match across services (Or VS) for persistence... if you are, then the rules change somewhat.
Match across service or match across VS will let an attacker alter the port specified by the poolmember. Match across pools is more open. The attacker can specify any poolmember they like (I'm paraphrasing what F5 told me).
Hmm... Inherently unsafe in certain situations... (i.e. your secure website can be compromised by an insecure config on a non-secure VS). I've requested a CR to change the default behaviour to encrypting all persistence cookies and a SOL note to ensure people know about it...
H