For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SteveEason's avatar
SteveEason
Icon for Cirrus rankCirrus
May 01, 2020

Cookie Encyrption Question - I'm confused

Recently we were notified by our Security team that the F5 cookies were not secure and needed to be adjusted.   F5 BIG-IP Cookie Remote Information Disclosure (20089) (Tenable scan)   I sta...
BIG-IP
devops
LTM
Heino's avatar
Heino
Icon for Cirrus rankCirrus
May 06, 2020

As you say you are only interested in the BIGIP cookie: encrypt it in the cookie profile instead of http. It is easier to maintain there, and you don't risk interfering with an applications cookies.

If you only want to encrypt the BIGIP cookie, but use the http profile to do it, it seems you need to take the name of your cookie and add that to the http profile as well.

Choose a randomly generated key/passphrase for it (a long one) and store it in your password vault. You never know what you might need in future troubleshooting scenarios.