An application penetration test has found our cookies are sent in plain text. The project manager is now wanting to terminate the SSL certificates on the servers. He thinks that because there are no certificates on the web servers it isn't possible to create secure cookies so the only option available is to move the certificates from the F5 to the web servers.
I've had a quick look at the guide and there is an option under the http profile to encrypt cookies. Do I just enable this and create a passphrase, job done? Do I need to be ware of anything when doing this?