Configuring cookie encryption within the HTTP profile

Information

You can configure the BIG-IP LTM system to encrypt HTTP cookies before sending them to the client system. The BIG-IP LTM system can encrypt BIG-IP persistence cookies, as well as cookies that are embedded in the response from the server. You can also configure the BIG-IP LTM system to encrypt cookies to keep information private if the cookie contains sensitive information about the web application.

When cookie encryption is enabled, the BIG-IP LTM system extracts the unencrypted cookie from the server response, encrypts it using a 192-bit AES cipher, and then encodes it using the Base64 encoding scheme. The BIG-IP LTM system then embeds the encrypted cookie into the HTTP response to the client. On subsequent requests, when the client presents the encrypted cookie to the BIG-IP LTM system, BIG-IP LTM removes the cookie, decodes it using the Base64 encoding scheme, and decrypts it. The BIG-IP LTM system then re-embeds the decrypted cookie in the HTTP request to the server.

Solution

1. Log in to the Configuration utility.
2. Navigate to Local Traffic > Profiles.
3. For Services, click HTTP.
4. Click Create.
5. Enter a name for the HTTP profile.
6. In the Encrypt Cookies box, enter one or more cookie names.
7. In the Cookie Encryption Passphrase box, enter a passphrase for the cookie.
8. In the Confirm Cookie Encryption Passphrase box, re-type the passphrase.
9. Click Update.
10. Associate the HTTP profile with the virtual server.

See Also

https://support.f5.com/csp/article/K53108777#link_01

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|I, CCI|CCI-002385, Rule-ID|SV-74797r1_rule, STIG-ID|F5BI-LT-000221, Vuln-ID|V-60367

Plugin: F5

Control ID: 68347cb53e87351d075fc1f62e7cf2411bc11fa9afee0630f8a6c2b8e1c47361