Forum Discussion

2 Replies

  • Hi Walther,

    the MRHSession session cookie is used for APM per-request authorization.

    So the cookie "as is" can't be used to protect against CSRF attacks, if the user remains logged on. You'll would need additional iRule codings to use this cookie to protect against CSRF attacks (e.g. STREAM inject the MRHSession cookie value as a hidden

    to your pages). But doing so would introduce additional risks to the MRHSession cookie, so better use an independent and randon cookie value for CSRF mitigation).

    Cheers, Kai

  • I thought I saw a reference to a "rolling" cookie value from the APM docs. Maybe this is only used during policy evaluation?