← Back to F5 BIG-IP TMOS ALG Security Technical Implementation Guide

V-266163

CAT III (Low)

The F5 BIG-IP appliance must be configured to enable the secure cookie flag.

Rule ID

SV-266163r1024393_rule

STIG

F5 BIG-IP TMOS ALG Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001664

Discussion

To guard against cookie hijacking, only the BIG-IP APM controller and client must be able to view the full session ID. Session cookies are set only after the SSL handshake between the BIG-IP APM system and the user has completed, ensuring that the session cookies are protected from interception with SSL encryption. To ensure that the client browser will not send session cookies unencrypted, the HTTP header that the BIG-IP APM uses when sending the session cookie is set with the secure option (default). This option is only applicable to the LTM+APM access profile type.

Check Content

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click the access profile name.
5. SSO/Auth Domains tab.
6. Under Cookie Options, verify "Secure" is enabled.

If the F5 BIG-IP appliance APM Policy does not enable the Secure cookies flag, this is a finding.

Fix Text

Configure each Access Profile to enable the Secure Cookies flag.

From the BIG-IP GUI:
1. Access.
2. Profiles/Policies.
3. Access Profiles.
4. Click the access profile name.
5. SSO/Auth Domains tab.
6. Under Cookie Options, check "Secure".
7. Click "Update".
8. Click "Apply Access Policy".