The F5 BIG-IP appliance must be configured to enable the secure cookie flag.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266163 | F5BI-AP-300152 | SV-266163r1024393_rule | Low |
| Description |
| To guard against cookie hijacking, only the BIG-IP APM controller and client must be able to view the full session ID. Session cookies are set only after the SSL handshake between the BIG-IP APM system and the user has completed, ensuring that the session cookies are protected from interception with SSL encryption. To ensure that the client browser will not send session cookies unencrypted, the HTTP header that the BIG-IP APM uses when sending the session cookie is set with the secure option (default). This option is only applicable to the LTM+APM access profile type. |
| STIG | Date |
| F5 BIG-IP TMOS ALG Security Technical Implementation Guide | 2025-06-09 |
Details
| Check Text (C-70087r1023735_chk) |
| From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. SSO/Auth Domains tab. 6. Under Cookie Options, verify "Secure" is enabled. If the F5 BIG-IP appliance APM Policy does not enable the Secure cookies flag, this is a finding. |
| Fix Text (F-69990r1023736_fix) |
| Configure each Access Profile to enable the Secure Cookies flag. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the access profile name. 5. SSO/Auth Domains tab. 6. Under Cookie Options, check "Secure". 7. Click "Update". 8. Click "Apply Access Policy". |