Cookie Encyrption Question - I'm confused
Recently we were notified by our Security team that the F5 cookies were not secure and needed to be adjusted.
F5 BIG-IP Cookie Remote Information Disclosure (20089) (Tenable scan)
I started digging into the documentation to see how to do this and then I discovered that there are 2 settings to encrypt cookies on the F5. One for the F5 cookies and one for the persistence cookies? And vague references to cookies that come from servers? This is where the confusion comes in. The documentation isn't completely clear on this.
The first location is found here: Local Traffic - Profiles : Services : HTTP
This I assume is for the F5 cookies. In this area there are 3 boxes related to Cookie encryption.
1) Encrypt Cookies
2) Cookie Encryption Passphrase
3) Confirm Cookie Encryption Passphrase
The second location is found here: Local Traffic - Profiles : Persistence
I assume this is for cookie persistence, and would not be related to the reported issue by security. (Also because on this site, persistence is disabled)
This area has 2 boxes related to Cookie encryption.
1) Cookie Encryption Use Policy - disabled
2) Encryption Passphrase
QUESTIONS:
1) So to properly mitigate the issue reported to use, I believe I have determined that we have to go to the HTTP profile and enable cookies there. Do I need to put anything in box 1) Encrypt Cookies? Or is that just used for cookies coming from the webservers? They mention in the documentation about entering the list of cookies separated by commas. But we only are concerned about the F5 BIG-IP Cookie.
2) And depending the answer to that question, do we enter a randomly generated encryption passphrase, or should we use a common one, which we document in our password vault?
3) That being if we understand the correct way to mitigate this issue, should we do this in the parent profile so that all our sites have cookie encryption enabled by default? So that way all F5 cookies are encrypted from the beginning?
4) And if the answer to that is yes, that would mean just updating the HTTP profile called 'http' to include these changes? Will we need to refresh or do anything to the child profiles for them to see the changes.
Hopefully that lays out enough information to provide you with enough to answer the question. Thanks in advance for any information.