# BIG-IP persistence-cookie decoder

> Decode an F5 BIGipServer persistence cookie into the backend pool member's IP and port, or encode one from an address and port. Runs entirely in your browser.

- Tool: https://ronutz.com/en/tools/f5-bigip-persistence-cookie
- Family: Networking

---

## What it does

Decode the value of an F5 BIG-IP `BIGipServer` persistence cookie into the backend pool member's IP address and port, or go the other way and encode a cookie value from an address and port. It handles the four unencrypted encodings BIG-IP uses, and it runs entirely in your browser.

## What the cookie is, and why decoding it matters

When BIG-IP cookie persistence runs in its default insert mode, it adds a cookie named `BIGipServer<pool>` whose value encodes which pool member a client was sent to, so the client returns to the same member. The catch is that the encoding is not encryption: in its default form, the cookie plainly encodes the pool member's internal IP address and port. Anyone who can see the cookie, which means the client and anything on the path, can decode it and learn a piece of your internal topology. Demonstrating that is the point of this tool, and it flags when a decoded address falls in a private RFC 1918 range, because that is exactly the internal detail you did not mean to publish.

## The encodings and their byte order

The subtlety, and the reason a purpose-built decoder helps, is byte order. In the default IPv4 encoding the address is a single decimal number whose bytes are taken little-endian, that is, reversed, and the port is a decimal field with its two bytes swapped. For example, the address `10.1.1.100` encodes to the decimal `1677787402`, and port `80` encodes to the byte-swapped `20480`. BIG-IP defines four such encodings in all, covering IPv4, IPv6, and route-domain variants, each with its own rule, which the tool implements from F5's own documentation (K6917) cross-checked against a well-known reference decoder.

## The fix, which this tool cannot undo

The mitigation is straightforward and worth stating: configure cookie encryption on the persistence profile (F5 K7784). An encrypted persistence cookie carries no readable address, and this tool cannot decode one, by design. If you can decode your production cookie here, so can anyone else, which is the signal to turn encryption on.

## Using it

Paste a `BIGipServer` cookie value to decode the member address and port, or enter an address and port to produce a cookie value. The computation is deterministic and local; nothing is sent anywhere.

## Standards and references

- [F5 K6917 - Overview of BIG-IP persistence cookie encoding](https://my.f5.com/manage/s/article/K6917) - the four cookie encodings and their byte-order rules
- [F5 K7784 - Configuring cookie encryption for cookie persistence](https://my.f5.com/manage/s/article/K7784) - the mitigation: encrypting the persistence cookie so it cannot be decoded
- [drwetter/F5-BIGIP-Decoder (reference implementation)](https://github.com/drwetter/F5-BIGIP-Decoder) - battle-tested decode logic for all flavors, cross-checked against this engine
- [RFC 1918 - Address Allocation for Private Internets](https://www.rfc-editor.org/rfc/rfc1918) - the private IPv4 ranges used to flag an internal pool member
- [RFC 5952 - A Recommendation for IPv6 Address Text Representation](https://www.rfc-editor.org/rfc/rfc5952) - canonical IPv6 formatting of a decoded IPv6 pool member

## Related reading

- [BIG-IP Cookie Persistence Methods and Settings](https://ronutz.com/en/learn/bigip-cookie-persistence-methods.md): Beyond what a BIG-IP persistence cookie contains, there is the question of how it gets there. BIG-IP offers four cookie methods, insert, rewrite, passive, and hash, and a set of profile options for the cookie's name, lifetime, and safety flags. These decide the cookie's operational behavior, separate from its encoded value.
- [BIG-IP Persistence Cookies: What They Are and Why They Leak](https://ronutz.com/en/learn/f5-bigip-persistence-cookies.md): Why an F5 BIG-IP inserts a BIGipServer cookie, what cookie persistence does, what the cookie value actually encodes, and why the default unencrypted form hands an internal address and port to anyone who reads the response.
- [Closing the Leak: BIG-IP Cookie Encryption](https://ronutz.com/en/learn/bigip-cookie-encryption.md): How to stop a BIG-IP persistence cookie from disclosing internal addresses by encrypting it, what the encrypted value looks like, the related cookie hashing and naming options, and the trade-offs of each.
- [The Four BIG-IP Cookie Encodings, Byte by Byte](https://ronutz.com/en/learn/bigip-cookie-formats.md): A precise walk through the four unencrypted BIG-IP persistence cookie formats: default IPv4 with its reversed address bytes and byte-swapped port, IPv4 and IPv6 in route domains, and the IPv6 form, each with a worked decode.
- [What a BIG-IP Cookie Tells an Attacker](https://ronutz.com/en/learn/bigip-cookie-disclosure.md): The persistence cookie is a textbook information disclosure: it reveals internal IP addresses, ports, pool size, and route domains to any client. Why that matters for reconnaissance, how scanners harvest it, and how to think about the risk.
