The F5 BIG-IP appliance must be configured to disable the "Persistent" cookie flag.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-260060 | F5BI-AP-000243 | SV-260060r947405_rule | Low |
| Description |
|---|
| For BIG-IP APM deployments with connectivity resources (such as Network Access, Portal Access, etc.), BIG-IP APM cookies cannot be set as "Persistent". This is by design since cookies are stored locally on the client's hard disk and thus could be exposed to unauthorized external access. For some deployments of the BIG-IP APM system, cookie persistence may be required. When cookie persistence is selected, persistence is hard coded at 60 seconds. |
| STIG | Date |
|---|---|
| F5 BIG-IP Access Policy Manager Security Technical Implementation Guide | 2024-01-26 |
Details
| Check Text ( C-63791r947403_chk ) |
|---|
| If the Access Profile is used for applications that require cookie persistence, this is not a finding. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the Access profile name. 5. "SSO/Auth Domains" tab. 6. Under "Cookie Options", verify "Persistent" is disabled. If the F5 BIG-IP appliance APM Policy has the "Persistent" cookie flag enabled, this is a finding. |
| Fix Text (F-63697r947404_fix) |
|---|
| Note: Testing must be performed prior to implementation to prevent operational impact. This setting may break access to certain applications that require cookie persistence. From the BIG-IP GUI: 1. Access. 2. Profiles/Policies. 3. Access Profiles. 4. Click the Access profile name. 5. "SSO/Auth Domains" tab. 6. Under "Cookie Options", uncheck "Persistent". 7. Click "Update." 8. Click "Apply Access Policy". |