Forum Discussion
Cody_Green_1030
Aug 26, 2016Historic F5 Account
By default the APM MRHSession cookie is only allowed over SSL/TLS, which in my opinion is the only secure way to use APM, and not over HTTP. The issue with APM over non-encrypted traffic is a malicious actor can steal your cookie and impersonate your session.
Now, if you absolutely have to use APM over non-encrypted traffic you can disable the Secure cookie option under the SSO/Auth Domains tab (Access Policy -> Access Profiles then SSO/Auth Domains will be on the top menu).