When the Access Profile Type is LTM+APM and it is not using any connectivity resources (such as Network Access, Portal Access, etc.) in the VPE, the F5 BIG-IP appliance must be configured to enable the HTTP Only flag.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266162 | F5BI-AP-300151 | SV-266162r1024392_rule | Low |
| Description |
| To guard against cookie hijacking, only the BIG-IP APM controller and client must be able to view the full session ID. Setting the APM HTTP Only flag ensures that a third party will not have access to the active session cookies. This option is only applicable to the LTM+APM access profile type. Other access profile types require access to various session cookies to fully function. Sites must conduct operational testing prior to enabling this setting. For implementations with connectivity resources (such as Network Access, Portal Access, etc.), do not set BIG-IP APM cookies with the HTTP Only flag. |
| STIG | Date |
| F5 BIG-IP TMOS ALG Security Technical Implementation Guide | 2025-06-09 |
Details
| Check Text (C-70086r1023732_chk) |
| If the Access Profile Type is not LTM+APM and it uses connectivity resources (such as Network Access, Portal Access, etc.) in the VPE, then this is not a finding. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. SSO/Auth Domains. 6. Under Cookie Options, verify HTTP Only is enabled. If the F5 BIG-IP appliance does not enable the HTTP Only flag, this is a finding. |
| Fix Text (F-69989r1023733_fix) |
| When the Access Profile Type is LTM+APM and it is not using any connectivity resources (such as Network Access, Portal Access, etc.) in the VPE, set the HTTP Only flag. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. SSO/Auth Domains. 6. Under Cookie Options, Check the box next to HTTP Only. 7. Click "Update". 8. Click "Apply Access Policy". |