The F5 BIG-IP appliance must be configured to enable the secure cookie flag.

An XCCDF Rule

Description

<VulnDiscussion>To guard against cookie hijacking, only the BIG-IP APM controller and client must be able to view the full session ID. Session cookies are set only after the SSL handshake between the BIG-IP APM system and the user has completed, ensuring that the session cookies are protected from interception with SSL encryption. To ensure that the client browser will not send session cookies unencrypted, the HTTP header that the BIG-IP APM uses when sending the session cookie is set with the secure option (default). This option is only applicable to the LTM+APM access profile type.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-266163r1024393_rule
Severity: Low
References: CCI-001664
Updated: 16 days ago

Configure each Access Profile to enable the Secure Cookies flag.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.4. Click the access profile name.
5. SSO/Auth Domains tab.
6. Under Cookie Options, check "Secure".
7. Click "Update".
8. Click "Apply Access Policy".

The F5 BIG-IP appliance must be configured to enable the secure cookie flag.

Description

Remediation - Manual Procedure